the problem here is that many of the submissions are not "make-believe work" but actual existing security issues

it's just that in the past people most times didn't find security vulnerabilities independently of each other without knowing about the others en mass

worse it's non trivial to dedup on the submitter side, nor on the receiver site (as long as we stay with a classical mailing list format)

and while this might be fixable with an AI auto grouping duplicates etc. getting that right is _hard_ especially if we consider that there can be a lot to gain for an adversary to use prompt injection and similar to cause an effective "hiding" of "useful" security issues (e.g. by wrongly causing them being labeling as duplicate).

In addition to all the technical problems this causes some other problems: 1.) additional cost you can intentional (maliciously) increase 2.) dependence on some LLM provider 3.) trust problem wrt. the used LLM provider. Some of this can be avoided by running open models on sponsored owned hardware, but at the cost of often outdated LLM tech, higher cost, now needing to maintain additional hardware etc.