clauding.de
DE
2 min read AI-generated

AI Slop Is Drowning Open Source — curl Already Has 12 CVEs in 2026

Copy article as Markdown

Daniel Stenberg, the maintainer of curl, is sounding the alarm: AI-generated security reports are flooding open-source projects with junk. The bug bounty program was already shut down once because of it.

Open Source Security AI Slop curl Developer
Featured image for "AI Slop Is Drowning Open Source — curl Already Has 12 CVEs in 2026"

Daniel Stenberg has a problem. The founder and lead developer of curl — the command-line tool baked into virtually every operating system — is being buried under security reports. Not real ones. AI-generated ones.

In his blog post ‘The Pressure,’ Stenberg describes what happens when you give people an AI tool and tell them they can make money by reporting security vulnerabilities. Earlier in 2026, the curl project received seven HackerOne submissions in sixteen hours. Most of them were junk — so-called ‘AI slop.‘

The numbers are alarming

curl has already published 12 confirmed security vulnerabilities (CVEs) in the first half of 2026. The project is projecting at least 30 CVEs by year-end — a new record. But it’s not because curl has become less secure. It’s a combination of two effects.

On one side, capable security researchers are using AI tools to find genuinely deeper bugs. These reports are valuable. On the other side, less capable actors are using the same tools to produce reports that look professionally written but are substantively nonsense. And maintainers have to evaluate both — which takes time.

Bug bounty killed and resurrected

The situation got bad enough that curl shut down its HackerOne bug bounty program entirely. Stenberg wanted to eliminate the financial incentive for junk reports. The project switched to direct reports via GitHub or email.

One month later, the reversal: GitHub and email turned out to work worse than expected for legitimate security reports. So curl went back to HackerOne — with stricter filters, but the same fundamental problem.

An industry problem, not just curl’s

What Stenberg describes isn’t an isolated case. At FOSDEM 2026, he talked about how AI is changing security work in two directions: it helps real researchers find deeper bugs — and it simultaneously helps free-riders produce professional-looking garbage.

This affects every major open-source project. Maintainers — often individuals or small teams — now have to not only maintain code but also filter a growing flood of reports that look legitimate at first glance.

What this means for us

This is one of the unintended consequences of freely available AI tools. Nobody planned to flood open-source maintainers with fake security reports. But that’s exactly what happens when you combine powerful text generation with financial incentives.

The fix won’t be simple. Stricter filters help short-term, but AI-generated reports will get better. Ultimately, we’ll probably need AI-powered triage systems — ironically, the same technology that caused the problem in the first place.

Sources: