Very unhelpful to get daily emails at security@grapheneos.org from people seeking bug bounties reporting we have a directory listing at apps.grapheneos.org, lack a captcha for attestation.app + discuss.grapheneos.org registration and have fairly high rate limits.
Conversation
Several people have reported AOSP security issues to us via our issue tracker which we reported on their behalf to AOSP and fixed early when it was feasible. We've never gotten a valid security report via the security@ email addresses on our domains only this kind of bounty spam.