@dubbel honestly this is one of the areas where working for the NYT is a bit strange and unique. Given how many ingress points people have for contacting The Times (letters to the editor, tips line, even the corrections department) we've always had a good volume of security related spam coming in -- just not always to the right place. One of the hopes we had with publishing the security.txt file is to act as a lightning rod, funneling all that stuff to our responsible disclosure program where it can be handled easily instead of clogging up the inbox of the folks who deal with customers whose daily paper ended up in the bird bath and not the front stoop (again, for example). So, part of the hope is that we will see more of that coming to us where we can better filter it out.

We've definitely seen an uptick in submissions since publication, and not necessarily valid ones. But with the way that we run our program through our vendor Synack, it hasn't led to any increased time or effort spent by our team.