Hi Alesandro,
Thanks for your email.
I'm responding on-list to allow others to respond as well, but there are a couple of things here:
1) The specific ClusterFuzz reports you linked, are not at all external reports. These are internal reports based on bugs discovered by our internal fuzzing infrastructure from fuzzers contributed by internal team members.
2) We welcome and do have external researchers who contribute to our fuzzer infrastructure with fuzzers of their own and are paid a fuzzing bonus for valid security bugs found for by their externally contributed fuzzers. The bugs from those reports are treated as external security reports in that we consider them for VRP rewards.
The report in the bug tracker is the summary of the report that the specific fuzzer within the greater automated internal fuzzing infrastructure produces.
These ClusterFuzz reports, however, are not the same as reports from external researchers as they are internal findings based on the output of a particular fuzzer in the fuzzer infrastructure. An automated report is produced in our internal system that is part of that greater fuzzing infrastructure and is not able to be shared externally.
Amy