In a fiery and much-needed wake-up call to the tech world, Daniel Stenberg, the original author and lead developer of curl, the ubiquitous open-source tool used for transferring data across the internet, has gone public with his frustration over what he calls an avalanche of "AI slop." His target? AI-generated vulnerability reports flooding platforms like HackerOne, clogging the pipeline of genuine, useful feedback with fabricated issues dressed up in perfect English and polite bullet points.

"A threshold has been reached," Stenberg wrote in a widely shared LinkedIn post. "We are effectively being DDoSed. If we could, we would charge them for this waste of our time."

Curl, which celebrated its 25th anniversary in 2023, is deeply woven into the internet’s infrastructure. From developers fetching API data to automated systems handling complex web requests, curl is everywhere. And like all prominent open-source tools, it's regularly tested, poked, and prodded by security researchers. But according to Stenberg, the nature of those tests has drastically changed, for the worse.

AI Meets Bug Bounty, And It’s Not Pretty

The problem lies with AI-powered security submissions, primarily through HackerOne, a well-known vulnerability disclosure platform. HackerOne has fully embraced AI in its operations, championing it as a force multiplier, “One platform, dual force: Human minds + AI power,” its website claims.

But Stenberg says what’s being produced isn’t power, it’s noise.

"We still have not seen a single valid security report done with AI help," he noted, adding that from now on, anyone submitting a suspected AI-generated report will be directly asked if they used AI. If confirmed and the report lacks substance, they’ll be banned from submitting further.

The final straw came on May 4, when Stenberg received a report claiming a groundbreaking exploit involving stream dependency cycles in HTTP/3, a protocol curl supports. The vulnerability, if real, could have opened the door to race conditions, crashes, or even remote code execution.

Except... it wasn’t real.

The patch didn’t work with the tools cited. The explanation was oddly prompt-like, answering unrelated questions like “What is a Cyclic Dependency?” The author mentioned nonexistent functions and even gave git instructions that felt scraped from a tutorial. When asked for a corrected patch, they disappeared.

“Make It Sound Alarming”

Stenberg’s LinkedIn post exploded, garnering hundreds of comments and shares. Many open-source maintainers chimed in with similar stories. One AI report even included the original prompt: "Make it sound alarming." Others contained a telltale polish, flawless grammar, over-polite language, neatly ordered bullets, unusual for first drafts from genuine researchers.

In a conversation with Ars Technica, Stenberg explained his frustration: “LLMs cannot find security problems, at least not like they are being used here. I would like HackerOne to help us, give us tools to strike down this behavior.”

He’s not alone. Seth Larson from the Python Software Foundation echoed the concern, calling this a widespread issue. “If this is happening to a handful of projects that I have visibility for, then I suspect that this is happening on a large scale,” he wrote in December.

Spam Dressed as Signal

The challenge is deeper than spam, it’s about trust and time. Stenberg noted that each false alarm takes real effort to verify. And with open-source projects already running on tight resources, this flood of synthetic nonsense is a serious threat to productivity and focus.

One suggestion, raised in comments by security expert Tobias Heldt, involves requiring bug reporters to pay a refundable bond, a sort of anti-spam filter that could help differentiate serious submissions from those seeking easy bug bounty payouts with AI fluff.

What Comes Next?

AI isn’t going anywhere. But as Stenberg emphasizes, there’s a difference between using AI responsibly and abusing it to mimic meaningful research. Until reporting platforms like HackerOne step in with verification tools and filters, open-source maintainers are left on their own, swatting at AI-generated phantoms.

“Bug bounty platforms must evolve with the tools they helped inspire,” Stenberg wrote. “Otherwise, we’ll all drown in machine-made noise, while the real bugs go unfixed.”