okay okay: so we used to give security people bounties for finding bugs... but what if... security people pay maintainers instead? We could walk away and not fix it and then you don't get points or money. Pay us for the points.
Why are all these leeches after points anyway? What does points on their github account or name get them? A job?
Keep trying to blog about a (effective) deficiency in a thing but getting distracted by trying to fix it.
What if I expose the event queue depth? the time-to-process event queue? How to communicate to user without confusing them since that's still not a measurement that says "a request takes this long"?
Everyone's got their hand out...
"My AI agent found a bug, I need points (CVE/credit/etc)"
I can't afford to spend my time every week handing out points.
Are there only N bugs in the codebase? Do I need my own "agent loop" to find bugs before they do? Same time sink?
