The open source project cURL used to be flooded with worthless, AI-generated security reports. Over the past few months, those have vanished — replaced by genuinely useful ones. So many, in fact, that the maintainers are struggling to keep up, says Daniel Stenberg, who leads the project.
cURL is not alone.
“I hear similar witness reports from fellow maintainers in many other Open Source projects,” Stenberg writes on LinkedIn.
Several of those colleagues back him up in the discussion thread — among them the maintainers of glibc, Vim, and Node.js.
“Over the last few months, we have stopped getting AI slop security reports in the #curl project. They're gone. Instead we get an ever-increasing amount of really good security reports, almost all done with the help of AI,” says Stenberg.
Generative AI has grown steadily better at hunting down vulnerabilities in code. Elektroniktidningen has covered that development extensively.
Stenberg has a straightforward explanation for the shift.
“I'd say it is primarily because the tooling has improved. HackerOne did basically nothing new that could explain this (plus, this is mirrored in countless other projects, many of them not on hackerone). This is a notable change in the incoming reports.”
HackerOne is the platform cURL uses to receive bug reports.
There is an unexpected downside to being flooded with good bug reports, though — there are simply too many to handle in time.
“They're submitted in a never-before seen frequency and put us under serious load,” says Stenberg.
The challenge used to be filtering out noise. Now it is keeping pace with reports that actually matter. That is how Steve M. Hernandez, a code security specialist, puts it.
“High quality reports at higher frequency still require the triage capacity and decision consistency to keep up. The bar is moving from filtering noise to keeping pace with real signal.”
There is also something very unsettling about how easy finding vulnerabilities has apparently become. The exact same flaw can be reported several days running. Willy Tarreau, who maintains the load balancing project HAProxy, has seen the same thing.
Vulnerability reports typically come with an embargo — time for developers to patch the code before details go public. That practice may now be pointless overhead, Tarreau argues.
“We're all progressively killing embargoes as well, they're pointless for vulnerabilities found by widely available tools, it's just trying to hide something that can be published again the next day,” he writes.