I'd say vulnerability bounty reports *cannot* be submitted until they are peer verified. But a peer might "steal" your bounty, right?