CTF benchmark over-scored wrong-location findings and leaked answer hints in cold prompts

A CTF/security-audit benchmark showed a cold/no-graph model earning high raw points despite zero graph calls and no solved flags. Investigation showed two benchmark issues: findings that cited the wrong vulnerable file/function could still earn explanation, PoC, patch, and cross-repo partial points; and cold prompts exposed answer-shaping metadata such as CVE, bug class, difficulty/points, and targeted audit guidance.