> In the software development / security world, someone reporting a vulnerability to you is one of the greatest things one human can do for another.

Depends on context. When it's a knowledgeable user reporting the issue, you're right.

What I mostly encounter are for profit "security researchers" who try to profit on fear and/or misunderstanding.

Yes. As someone who spent years on the receiving end of these, I'd change my original post to be about "real" vulnerabilities, not the results of automated scans.

Unfortunately something like 90% of "vulnerability reports" are some guy in India running an automated scanner reporting something that isn't actually a vulnerability and demanding $1,000+. This creates a ton of noise in the system both for legitimate security researchers and the people stuck managing vulnerability disclosure programs.