What process? Wasn't the default state of things to just let any random person of the street spam vulnerability reports without validation or quality control?