Comment by varenc
Also consider putting a security.txt[0] file on your main domain, like here: https://opencode.ai/.well-known/security.txt
I also just want to sympathize with the difficulty of spotting the real reports from the noise. For a time I helped manage a bug bounty program, and 95% of issues were long reports with plausible titles that ended up saying something like "if an attacker can access the user's device, they can access the user's device". Finding the genuine ones requires a lot of time and constant effort. Though you get a feel for it with experience.
[0] https://en.wikipedia.org/wiki/Security.txt
edit: I agree with the original report that the CORS fix, while a huge improvement, is not sufficient since it doesn't protect from things like malicious code running locally or on the network.
edit2: Looks like you've already rolled out a password! Kudos.
I've been thinking about using LLMs to help triage security vulnerabilities.
If done in an auditably unlogged environment (with a limited output to the company, just saying escalate) it might also encourage people to share vulns they are worried about putting online.
Does that make sense from your experience?
[1] https://github.com/eb4890/echoresponse/blob/main/design.md