It’s almost certainly bogus. “Security Spam” is a big problem. But responding to them with “Oh, thanks very much! We’re very happy that you have found this serious issue. Please report it to Hacker One at your earliest convenience to get the money that you so rightly reserve.” is likely how to prove to your superiors that you’re doing your job while also shutting up the spammers.
Good luck