We got contacted by someone spoofing an openbugbounty.org report (similar domain, sent from a Gmail account if you checked headers). The report was copy-pasted from one for a different site, and it didn’t really apply for us (but you had to know the internals). Worse part: based on the email the spoofer used, and the one associated with their PayPal, they had two legit profiles in openbugbounty.org with hundreds of verified bounties.