It seems we all agree, someone with a valid vulnerability deserves an award and we make a point of directing them towards hackerone.

With that in mind, would it be worth us having an auto responder to outline this to any new reports:

"Thank you for contacting kubernetes security If you're reporting a security vulnerability, please consider using the hackerone.com/kubernetes bug bounty program where there is an awards program".

My thinking is that everything goes to hackerone for a first triage and free's us up to focus just on the assigned items, rather than a lot of dupes / non issues?

If an auto respond is not possible, we could still perhaps cookie cut a reply?

Cheers,
Luke