This already exists on the previous platform curl was using (HackerOne), it does not prevent the slop.

At my previous employer, I had access to the company’s bug bounty submissions and I can assure you no matter what you try to do, people will submit slop anyway. This is why many companies will pay for “triage services” that do some screening to try to ensure that the exploit actually works.

Unfortunately this means that the first reply to many credible reports are from people who aren’t familiar with the service, meaning that reports often take a long time to be triaged for no reason other than the fact that the reporter assumed that the person reviewing the report would actually understand the product. It’s hard to write good, concise reports if you can’t assume this fact.

Honestly, I don’t know what can be done to fix all of this. It’s a bad situation for everyone involved, and only getting worse.