From the tweet:

is it really fair that trillion dollar corporations run AI to find security issues on people’s hobby code?

Yes, yes it is, because you’d better believe that those who wish to do harm are. That being said, the reports had better have been reviewed and validated by a human before being submitted.

Then expect volunteers to fix.

That’s less good. A lot less good. I’d like to see these megacorps doing a lot more to support the projects their successes are built on, but I’d also be somewhat wary of any large code submissions from them, or of any attempt by them to control the direction of the project.