Comment by kccqzy

Option (c) is now thoroughly outdated in the age of AI. Offering a bug bounty attracts the kind of people who think they can make a quick buck using AI and then flood you with bogus bugs found by non-SOTA models. See curl.

What worked is to remove the bounty and simply allow people to report bugs responsibly. This attracts the kind of altruistic volunteers who want more secure software for ideological rather than financial reasons. They still use AI but you won’t see slop.