Log4j, *the* project that escalated the need for funding open source in the first place, is currently being DOS’d by slop vulnerability reports. Well done everyone. Slow fucking clap.

Addressing AI-slop in security reports · apache/logging-log4j2 · Discussion #4052

Addressing AI-slop in security reports

GitHub (github.com)

@janl Maintainer saying they'll pay for bugs... attracts people looking for a low-effort income stream.

This is a problem that doesn't exist if you don't incentivize it...

@hopeless yes it’s their own fault. Really. Jfc.

@janl Do you maintain anything?

@hopeless yup, dozens of projects some of which with millions of deploys, including an ASF Top Level project.

Log4j, *the* project that escalated the need for funding open source in the first place, is currently being DOS’d by slop vulnerability reports. Well done everyone. Slow fucking clap.

Addressing AI-slop in security reports · apache/logging-log4j2 · Discussion #4052

Addressing AI-slop in security reports

GitHub (github.com)

@janl I also maintain a FOSS project that's in AOSP, all the distros, and used by FAANG with multi-million deploys.

I don't pay any bounty, mainly because I don't have any money, and the huge companies that ship it, do their own Static Analysis.

I have been approached - by someone with a .bg email domain - asking about bounties, if I had said "yes", I also would be wading through the slop. So when I tell you this is self-inflicted by the maintainer, I have good reason to say it.