Right, but the volume was the issue. The cURL team could only work through and verify them so quickly, so the deluge of bug reports just made it impractical for them to dedicate time to sort through it. The idea in getting rid of the bug bounty being that there would be less of an incentive to generate and write a bogus bug report.
If it was just a small handful of fake security reports, they wouldn't have minded nearly as much.
It was volume that was more the issue with the bug bounty program.
They were flooded, and recognising it is all well and good, but not if there's no good way to filter it out, not without massive collateral.
It does make it harder to find them, because the phrasing is similar, but not identical due to randomness.
Whereas before, you could probably filter a good chunk of it out by just finding the same message/keywords and filtering by that.
Quite surprised that they are pushing that, seeing as one of the biggest obstacles for Windows 11 getting adopted was that a lot of the existing hardware didn't support the TPM requirements it put in place.
Doing it again so soon seems like a recipe to make people not want to use 12 at all. After all, Windows 11 works fine for them, why change so soon?