Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 16 submissions in the queue.

Submission Preview

Link to Story

Curl project founder snaps over deluge of time-sucking AI slop bug reports

Accepted submission by Fnord666 at 2025-05-09 18:16:53
Security

Fnord666 [soylentnews.org] writes:

Curl project founder snaps over deluge of time-sucking AI slop bug reports [theregister.com]

Curl project founder Daniel Stenberg is fed up with of the deluge of AI-generated "slop" bug reports and recently introduced a checkbox to screen low-effort submissions that are draining maintainers' time.

Stenberg said the amount of time it takes project maintainers to triage each AI-assisted vulnerability report made via HackerOne, only for them to be deemed invalid, is tantamount to a DDoS attack on the project.

From now on, every HackerOne report claiming to have found a bug in curl, a command-line tool and library for transferring data with URLs, must disclose whether AI was used to generate the submission.

If selected, the bug reporter can expect a barrage of follow-up questions demanding a stream of proof that the bug is genuine before the curl team spends time on verifying it.

"We now ban every reporter instantly who submits reports we deem AI slop," Stenberg added. "A threshold has been reached. We are effectively being DDoSed. If we could, we would charge them for this waste of our time."

Citing a specific recent report that "pushed [him] over the limit," Stenberg said via LinkedIn: "That's it. I've had it. I'm putting my foot down on this craziness."

[...] Generative AI tools have allowed low-skilled individuals with an awareness of bug bounty programs to quickly file reports based on AI-generated content in the hope they can cash in on the rewards they offer.

However, Stenberg said that it is not just the newbies and grifters using AI to chance their luck on a bounty program – those with a degree of reputation are also getting in on the act.

The report that pushed the project founder over the edge was made two days ago and was a textbook AI-generated submission.

It was pitched as "a novel exploit leveraging stream dependency cycles in the HTTP/3 protocol stack was discovered, resulting in memory corruption and potential denial-of-service or remote code execution scenarios."

Ultimately, though, it was found to refer to nonexistent functions.

Original Submission