Apparently FOSS developers have been getting this kind of slop report even though they clearly don't offer a bug bounty.

There are no shortage of people wanting to be able to say they found CVE-XXXX-XXX or a bug in product X.