ingemar
Jan Lehnardt 
Log4j, *the* project that escalated the need for funding open source in the first place, is currently being DOS’d by slop vulnerability reports. Well done everyone. Slow fucking clap.
degenerating degenerate@janl Maintainer saying they'll pay for bugs... attracts people looking for a low-effort income stream.
This is a problem that doesn't exist if you don't incentivize it...
@hopeless yes it’s their own fault. Really. Jfc.
@janl Do you maintain anything?
@hopeless yup, dozens of projects some of which with millions of deploys, including an ASF Top Level project.
@janl I also maintain a FOSS project that's in AOSP, all the distros, and used by FAANG with multi-million deploys.
I don't pay any bounty, mainly because I don't have any money, and the huge companies that ship it, do their own Static Analysis.
I have been approached - by someone with a .bg email domain - asking about bounties, if I had said "yes", I also would be wading through the slop. So when I tell you this is self-inflicted by the maintainer, I have good reason to say it.
kalipso (24723)
Rihards Olups@janl I propose a slop-slap reflex theory.
It basically states that developing a quick reaction to "slap" whenever "slop" is observed is crucial for many projects.
Or:
Developing a reflex of slop-slap is self-defence.
Mitch RoseRequire an account with a credit card. Bug reports deemed inaccurate slop to be charged, at least enough to cover the time spent.
andreaskem
Samantaz Fox@andreaskem @mrose @janl Bug bounty is by definition an activity that involves money. Bug bounty platforms already work with partners whose job is to deal with banking information, so that's a non-issue.
zivi