I hate sitting out a github bash but they’re entirely right and neither of those are vulnerabilities, HackerOne isn’t for arguing over design

Important projects should use signed commits and there should be a giant red flag raised when repositories are force pushed IMO but those are two different issues, neither of which can be cashed in for a bug bounty