[ryandrake]

I don't understand this. If that project is not offering a bug bounty, why are they getting so many PRs? What possible incentive is there to spend real money on tokens just to push junk PRs? Are the PRs spamming a product or something?

[jubilanti]

Why does every programming job application ask for your GitHub profile? The industry used open source contributions as a proxy for candidate quality, and this is Goodhart's law in action.

[andai]

It's also why the default approach is to install several hundred unnecessary dependencies.

[0xf00ff00f]

They're offering bounties: https://github.com/UnsafeLabs/Bounty-Hunters/issues

[Lalabadie]

To clarify: The fake issues, in the fake repo, have bounty labels.

[HnUser12]

“Heads up: This is a research project — bounties listed here are symbolic and part of an academic study on open-source contribution patterns. PRs are reviewed for research purposes only and will not be merged into production. If you're looking for paid bounty work, this is not the right repo.”

[reaperducer]

Maybe once the account has enough stars and reputation, the human behind it will use it to try to get an actual paying job.

Almost every time someone on HN asks how to increase their chances of employment, the response is to contribute to other people's Git* projects.

[alexandra_au]

They see it as an investment, they're basically shooting in the dark hoping they'll hit their target and get a bounty payout.

[pdimitar]

My mind absolutely doesn't bend that way but I'd suppose clout and popularity?