We started to receive a lot of questionable security reports to our security@domain mail. All are from India, all use gmail addresses. Usually they claim that there is no DMARC (but they did not bother to check SPF). Or they get 302 from our server and use <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> to claim: "The information can be used by attackers for further finding of exploits and information gathering."<p>They are partly like scams, but reporting them to google gmail did not help. Any clue?
Every bug program I have had any exposure to is mostly reports like these.<p>Once I started insisting researchers PGP encrypt their submissions to prevent leaks of potentially serious and sensitive issues... A side effect was it was easy to tell authentic reports from skiddy stuff.<p>No one with any significant security research experience has been able to avoid learning basic asymmetric cryptography... But the skiddies only want to copy paste from automated tools to hunt easy bounties.