I've received them unsolicited in batches. I think there are training camps that show people how to this (spot debatable configs that I may chosen intentionally) and ask for money. Haven't seen anything exploitable.
It's often scanned, too. We have a small honeypot in our Wordpress blog that scanners assume is a vulnerability. Often I see email coming minutes after a certain file is accessed.
Whenever we ask for details or true reproductions to the issue, they're unable to provide.
