▲ nottorp 4 hours ago | parent | next [-]

Is there a description of this project on any other site? They clearly can't post it's bot bait on the git repo, and maybe not on the leaderboards site because it's linked from the repo.

But there must be some announcement about the project somewhere? I'd like to get that to pass it around.

	▲	toraway 35 minutes ago \| parent [-]
		The disclosure about being a honeypot is in the CONTRIBUTING.md: `Warning Heads up: This is a research project — bounties listed here are symbolic and part of an academic study on open-source contribution patterns. PRs are reviewed for research purposes only and will not be merged into production. If you're looking for paid bounty work, this is not the right repo.` Which makes it slightly surprising those bots with system prompts to find "high value bug bounty targets" or similar aren't deterred by that when they pull the repo. I guess a sort of task blindness where once they've gone as far as to git clone they've already switched gears from searching Github for qualifying bounties into a find bug->fix bug->open slop PR mindset to close the loop and end the turn? By that point an incidental warning they ingest in passing while looking for the Solana contract vulnerability they already committed to working on in a comment might not even register as relevant to the current task at hand.

▲ 5 hours ago | parent | prev [-]

[deleted]