Apparently FOSS developers have been getting this kind of slop report even though they clearly don't offer a bug bounty.
There are no shortage of people wanting to be able to say they found CVE-XXXX-XXX or a bug in product X.
alt Hacker News
There are no shortage of people wanting to be able to say they found CVE-XXXX-XXX or a bug in product X.