I think the problem is this: how do they distinguish between those with a legitimate interest (contributors, users, bounty programs, etc.) and those who want to sell the bug on the black market?
Since there's no real solution, they'll implement some "trick" that as a side effect will randomly block other people's work.
My point is that if I do cookie manipulation it's very hard for them to check if I'm in good or bad faith, so they will end up implementing something unpredictable (and will not give you any hints the same way you don't get any hint where you are banned from a social network).
Since there's no real solution, they'll implement some "trick" that as a side effect will randomly block other people's work.