IMO this is *the* most important way to surface security vulnerabilities to developers: in context and at the time they are actually working on the code. A report that shows up in an inbox is just too far removed to encourage prompt action.
Great work!