Well, I can imagine that some of them are able to validate and verify the vulns since some of them are 'fluent C speakers' and they're always looking for people with such skills. But ALL vulns? I don't think that's true...