@janl I also maintain a FOSS project that's in AOSP, all the distros, and used by FAANG with multi-million deploys.
I don't pay any bounty, mainly because I don't have any money, and the huge companies that ship it, do their own Static Analysis.
I have been approached - by someone with a .bg email domain - asking about bounties, if I had said "yes", I also would be wading through the slop. So when I tell you this is self-inflicted by the maintainer, I have good reason to say it.