The disclosure about being a honeypot is in the CONTRIBUTING.md:

  Warning

  Heads up: This is a research project — bounties listed here are symbolic and   part of an academic study on open-source contribution patterns. PRs are reviewed for research purposes only and will not be merged into production. If you're looking for paid bounty work, this is not the right repo.

I guess a sort of task blindness where once they've gone as far as to git clone they've already switched gears from searching Github for qualifying bounties into a find bug->fix bug->open slop PR mindset to close the loop and end the turn? By that point an incidental warning they ingest in passing while looking for the Solana contract vulnerability they already committed to working on in a comment might not even register as relevant to the current task at hand.

Yeah but if I want to pass it to friends I need a link describing the project. I could write a summary myself but they may ignore it or find it too hard to verify.