Fifty security reports in three months. Maybe one of them worth investigating. That's the reality facing the maintainers of Apache Log4j, the Java logging library that was at the center of one of the worst security vulnerabilities in internet history back in 2021.
In a GitHub discussion posted this week, Log4j maintainer Piotr Karwasz laid out the numbers: between December 2025 and February 2026, the project received 50 security reports through its bug bounty program. By the team's estimate, roughly one in twenty represents "even a minor, legitimate issue." The rest? AI-generated slop - reports that look superficially professional but fall apart under any real scrutiny.
The Numbers Tell the Story
For context, between July 2024 and November 2025 (17 months), the project received just 32 reports that led to 3 published vulnerabilities. Then the floodgates opened. The recent three-month surge produced more submissions than genuine community bug reports during the same period, which totaled around 20.
The pattern is familiar. Bug bounty hunters are feeding source code into AI tools, collecting whatever the model spits out, and submitting it without verification. The reports use correct terminology, follow standard formatting, and cite real CVE patterns - all surface-level signals that used to indicate a human expert had done actual analysis. Now those signals mean nothing.
Open Source Is Running Out of Patience
Log4j isn't alone. The curl project recently shut down its bug bounty program entirely over the same problem. The OpenSSF (Open Source Security Foundation) Vulnerability Handling Working Group is now developing best practices specifically to address AI-generated report spam.
The Log4j team's response is pragmatic but telling. They're implementing a triage system where only clearly serious reports get immediate attention. Everything else goes into a queue processed "as time permits, even if that means waiting weeks or months." Karwasz himself says he'll cap security report work at 20% of his volunteer time.
This is the part that should concern anyone who depends on open source software (which is everyone). These maintainers are mostly volunteers. When you flood them with junk, you don't just waste their time - you create a needle-in-haystack problem where a real vulnerability could sit unreviewed for months because it's buried under 49 AI hallucinations.
The irony is sharp. AI tools are supposed to help find security issues. Instead, they've turned bug bounty programs into a denial-of-service attack on the humans who actually fix the bugs.