
It's the bug bounty
"Curl offers bounty rewards of up to $9,200 for the discovery and report of a critical vulnerability in the project, and has paid $16,300 in rewards since 2019."
I think these "bug reports" aresern as free lottery tickets for the bug bounty.
You have an LLM running on you hardware or some free subscription to an AI. What is easier than to deluge every bug bounty project with bug reports.
It is like Spam, if one in a million pays out, you send two million. The costs are lower than the expected payouts.
That is, assuming they are actually able to do that math. Or they can get others to pay for bandwidth, electricity, and subscriptions.