But you might have the same vulnerability found in several different places. Reports should really only be considered duplicates if the fix to one automatically fixes the other also. Your bug found in multiple locations might happen to be set up that way -- or it might not.

This exact problem occurs frequently when a company with a bounty program makes an acquisition and brings the new software into scope for the program. The acquired code is often full of relatively easy-to-find, high-impact bugs. What I've seen people do in this case is open the scope, accept a certain number of reports, and then suspend eligibility for that software for a certain period of time.

This would look like "we've had a lot of similar bugs filed against company-we-acquired.com, and we're taking that domain out of scope for X weeks while we work on it."