Addressing AI-slop in security reports

[ppkarwasz]

You may have noticed that activity on the public Log4cxx, Log4j, and Log4net repositories has slowed since December 2025.

I want to reassure you that the projects are still being actively monitored. Much of this work is simply invisible, as it is currently concentrated on handling security reports.

Since December, we have been experiencing what is effectively a denial-of-service situation through our YesWeHack bug bounty program:

• Between July 2024 and November 2025, we received 32 reports, resulting in only 3 published vulnerabilities.
• December 2025: 17 reports
• January 2026: 20 reports
• February 2026: 13 reports

For comparison, the community opened only about 20 regular bug reports against Log4j during the same three-month period.

This does not mean that dozens of serious vulnerabilities are waiting to be disclosed. Most reports since 2024 already show signs of AI-assisted generation, and recent submissions are overwhelmingly AI-generated. In practice, perhaps one out of twenty reports represents even a minor, legitimate issue.

Nevertheless, we currently treat these submissions like any other report and strive to provide thoughtful, high-quality responses, even when the input itself is very low quality. Because security reports are handled with the highest priority, this situation now consumes a disproportionate share of our available volunteer effort.

It is time to draw a line.

Context

Log4j is not the only project affected by AI-generated report spam. For example:

• curl recently closed their bug bounty program in response to this issue,
• The OpenSSF Vulnerability Handling Working Group has started work on best practices to address the problem (see AI-SLOP: Develop best current practises for Open Source maintainers ossf/wg-vulnerability-disclosures#178).

While we wait for broader, ecosystem-level solutions, we need a temporary approach that preserves our scarce resources.

Proposal

The PMC and each of its member will decide how much time to dedicate to reviews in light of this new AI generation slop problem. For example, I do not plan to spend more than 20% of my Log4j time addressing these reports.

This does not mean ignoring security submissions. Instead, reports will be quickly classified as either serious or questionable, with only the first category receiving immediate priority.

Reports in the second category will still be processed as time permits, even if that means waiting weeks or months for an assessment.

[aldipower]

One solution could be to charge a deposit if you want to participate in the bug bounty programme. If a report is classified as slop, the deposit is donated to a charitable cause. Anyone who wants to report something voluntarily without paying a deposit simply does not participate in the bug bounty programme.

[DanielRuf]

I am not sure how exactly your Bounty Program works in detail.
But when I was active on some big bugbounty platforms, there was some reputation score.

Users with a bad reputation can not report new findings in specific projects.

As security researcher I would not even report a finding, if I would have to pay some deposit.
Even if my finding would be genuine.

Not sure if getting money from possible sanctioned countries, barrier to entry, collecting personal payment information beforehand and the extra effort to handle this correctly in terms of finances are problems others keep in mind.

What does yeswehack offer for such situations like reputation-based thresholds?

1/20 or 5% genguine reports and 95% slop is a big ratio.

[garydgregory]

My idea FWIW in the YWH case is that such a program IMO pays to have us do the research (and fixes) for the reports that comes through them. They can pay the reporter if the report is valid. This forces the program (like YWH) to be more than a dumb funnel (from our perspective).

[DanielRuf]

After doing some research, is this project supported by the OSTIF, where Apache Foundation projects are mentioned in audits?
https://ostif.org/
https://ostif.org/audits/

Maybe they already have some solutions or ideas.

There are probably more initatives for funding the security of (F)OSS projects.
https://www.herodevs.com/blog-posts/eus-sovereign-tech-fund-securing-open-source-sustainability-and-why-it-matters
https://arxiv.org/html/2412.05887v2
https://openssf.org/tag/security-audits/

But I'm unsure if the company of a bug bounty platform would pay the effort to check all the reports, that are not eligible for a bounty.

[ppkarwasz]

Hi @DanielRuf,

Our bug bounty program is funded by the Sovereign Tech Resilience program of the Sovereign Tech Agency. OSTIF is also a partner in the program, but it concentrates on providing audits, while YesWeHack handles the bug bounty.

There is some concept of reputation in YesWeHack too, but all sorts of gating are not compatible with the Apache Way. We all remember our first pull request, which was kindly reviewed by maintainers, even if it was far from perfect.

Currently, there is a public tender to determine who will triage and fix our security bugs in the future (see CXP4D9LMB6A). We would love to make a proposal ourselves, but we lack a couple of hundreds thousands euros in yearly turnover. 😉

[DanielRuf]

@ppkarwasz understood, thank you for the details.