Dear "independent security researchers", if your email to an Open Source project's security contact asks about bug bounty programs for vulnerabilities found but doesn't disclose any information about the vulnerability, then it's going to be ignored.

Mostly because you're probably eager to profit on telling us that our project is vulnerable by being... open source.

Get a life, loser.