CURL's Daniel Stenberg: AI slop is DDoSing open source (thenewstack.io)

At FOSDEM 2026, cURL's creator, Daniel Stenberg, highlighted the dual impact of AI on open source projects, stating that while it can uncover serious vulnerabilities, it has also led to an influx of low-quality, AI-generated security reports that overwhelm maintainers. Stenberg announced the suspension of cURL’s bug bounty program due to the unreasonable volume of what he termed “AI slop”—fabricated vulnerability reports that drain the resources and morale of his small security team. The escalation in bogus reports, spurred by the lure of significant bounties, has distorted the integrity of security assessments, reducing genuine report accuracy from one in six to as low as one in thirty. Despite the challenges, Stenberg emphasized that AI remains a valuable tool when wielded by skilled engineers. He shared how AI-powered analysis tools have successfully identified critical bugs that traditional methods missed. For example, these tools can analyze inconsistencies across various protocols and libraries, enhancing overall security. However, he remains cautious about AI’s role in production code development, advocating for a conscientious approach in parsing AI-generated suggestions. Looking ahead, Stenberg urged the open-source community to balance the beneficial and detrimental uses of AI, stressing that maintainers and developers must consciously steer its application for positive outcomes.