This was new to me. Someone using the standard tool https://mxtoolbox.com checked my domain, found that my DMARC record is marked to report-only (rather than quarantine). So they assume I have money to spend on this as a monetary reward for the bug hunt.
For a personal domain? FOr someone who has blogged about DMARC already? Nice try.
As a PSA, while I have you here, make sure your own DKIM and DMARC are enabled. Don’t let the spammers scam you or others on your behalf.