Sadly, this selection is set to false by default in old releases, which means that every one previous Log4j releases since 2.10.0, when this option was added, are vulnerable by default. Having the latter option is rather more convenient, because it lessens the danger of shedding important information.