GitHub user ppkarwasz created a discussion: Addressing AI-slop in security reports
You may have noticed that activity on the public Log4cxx, Log4j, and Log4net repositories has slowed since December 2025. I want to reassure you that the projects are still being actively monitored. Much of this work is simply invisible, as it is currently concentrated on handling security reports. Since December, we have been experiencing what is effectively a denial-of-service situation through our [YesWeHack bug bounty program](https://yeswehack.com/programs/log4j-bug-bounty-program): * Between July 2024 and November 2025, we received 32 reports, resulting in only 3 published vulnerabilities. * December 2025: 17 reports * January 2026: 20 reports * February 2026: 13 reports For comparison, the community opened only about 20 regular bug reports against Log4j during the same three-month period. This does **not** mean that dozens of serious vulnerabilities are waiting to be disclosed. Most reports since 2024 already show signs of AI-assisted generation, and recent submissions are overwhelmingly AI-generated. In practice, perhaps one out of twenty reports represents even a minor, legitimate issue. Nevertheless, we currently treat these submissions like any other report and strive to provide thoughtful, high-quality responses, even when the input itself is very low quality. Because security reports are handled with the highest priority, this situation now consumes a disproportionate share of our available volunteer effort. It is time to draw a line. ## Context Log4j is not the only project affected by AI-generated report spam. For example: * curl recently [closed their bug bounty program](https://daniel.haxx.se/blog/2026/01/26/the-end-of-the-curl-bug-bounty/) in response to this issue, * The OpenSSF Vulnerability Handling Working Group has started work on best practices to address the problem (see ossf/wg-vulnerability-disclosures#178). While we wait for broader, ecosystem-level solutions, we need a temporary approach that preserves our scarce resources. ## Proposal The PMC and each of its member will decide how much time to dedicate to reviews in light of this new AI generation slop problem. For example, I do not plan to spend more than 20% of my Log4j time addressing these reports. This does **not** mean ignoring security submissions. Instead, reports will be quickly classified as either *serious* or *questionable*, with only the first category receiving immediate priority. Reports in the second category will still be processed as time permits, even if that means waiting weeks or months for an assessment. GitHub link: https://github.com/apache/logging-log4j2/discussions/4052 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
