""Over the last few months, we have stopped getting AI slop security reports in the curl project. They're gone. Instead, we get an ever-increasing amount of really good security reports, almost all done with the help of AI.""
"Greg Kroah-Hartman noted how AI-assisted bug reports contained less slop and more valid concerns, indicating that while the volume of reports has increased, smaller teams may struggle to manage them."
"Most of the reports have been closed because the issue isn't a serious threat, even if it might be something worth correcting. For example, a data race in a curl library was initially discussed as an issue that might get a CVE."
"Stenberg called out the problem of AI slop bug reports and stopped paying awards for curl vulnerability reports to remove the incentive for erroneous submissions."
AI models have improved the quality of code evaluation, leading to a surge in valid security reports for open-source projects like curl. Daniel Stenberg, founder of curl, noted a decrease in low-quality AI-generated reports and an increase in substantial submissions. However, this influx has created a heavier workload for maintainers. While reports are more valid, many identified issues are not critical security flaws, leading to a backlog of non-threatening concerns. Stenberg has even ceased monetary rewards for vulnerability reports to discourage unsubstantiated submissions.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]