Jan Lehnardt Feb 26

Log4j, *the* project that escalated the need for funding open source in the first place, is currently being DOS’d by slop vulnerability reports. Well done everyone. Slow fucking clap.

https://github.com/apache/logging-log4j2/discussions/4052

Addressing AI-slop in security reports · apache logging-log4j2 · Discussion #4052

You may have noticed that activity on the public Log4cxx, Log4j, and Log4net repositories has slowed since December 2025. I want to reassure you that the projects are still being actively monitored...

GitHub
Show threaddegenerating degenerateFeb 26

@janl Maintainer saying they'll pay for bugs... attracts people looking for a low-effort income stream.

This is a problem that doesn't exist if you don't incentivize it...

Show threadJan Lehnardt 
@hopeless yes it’s their own fault. Really. Jfc.
Feb 26 at 11:05amWeb
Show threaddegenerating degenerateFeb 26
@janl Do you maintain anything?
Show threadJan Lehnardt Feb 26
@hopeless yup, dozens of projects some of which with millions of deploys, including an ASF Top Level project.
Show threaddegenerating degenerateFeb 26

@janl I also maintain a FOSS project that's in AOSP, all the distros, and used by FAANG with multi-million deploys.

I don't pay any bounty, mainly because I don't have any money, and the huge companies that ship it, do their own Static Analysis.

I have been approached - by someone with a .bg email domain - asking about bounties, if I had said "yes", I also would be wading through the slop. So when I tell you this is self-inflicted by the maintainer, I have good reason to say it.

Show threadkalipso (24723)Feb 26
@hopeless @janl okay i also maintain stuff by fang, bang and shang and still think its doesnt make sense to blame the dev here - now what?