Open source project curl is sick of users submitting “AI slop” vulnerabilities
“A threshold has been reached. We are effectively being DDoSed. If we could, we would charge them for this waste of our time,” wrote Daniel Stenberg, original author and lead of the curl project, on LinkedIn this week.
Curl (cURL in some realms), which turned 25 years old in 2023, is an essential command-line tool and library for interacting with Internet resources. The open source project receives bug reports and security issues through many channels, including HackerOne, a reporting service that helps companies manage vulnerability reporting and bug bounties. HackerOne has fervently taken to AI tools in recent years. “One platform, dual force: Human minds + AI power,” the firm’s home page reads.
Stenberg, saying that he’s “had it” and is “putting my foot down on this craziness,” suggested that every suspected AI-generated HackerOne report will have its reporter asked to verify if they used AI to find the problem or generate the submission. If a report is deemed “AI slop,” the reporter will be banned. “We still have not seen a single valid security report done with AI help,” Stenberg wrote.
