We've periodically been running our scanner on OSS repos as a fun experiment. Here's one of the most interesting issues it found.

Auth bypasses defy most patterns, and require reasoning about the actual underlying logic of the application. You can see how the scanner found it here: it inferred an invariant and then noticed this wasn't enforced on certain APIs. Then, it stood up the actual service, wrote a PoC using the unauthenticated endpoints, and verified it could break something.

This netted us $750! It's not too much, but validation is always nice :)