AI Slop vs. OSS Security (devansh.bearblog.dev)

A longtime bug-bounty professional and HackerOne triage lead warns that AI-generated “slop” — hallucinated, plausibly formatted vulnerability reports produced by LLMs — is overwhelming open-source security workflows and undermining the CVE ecosystem. Maintainers are receiving polished reports that invent function names, impossible attack vectors, or false test cases; curl’s maintainer Daniel Stenberg reports roughly 20% of submissions are AI-generated while genuine vulnerabilities hover near 5%, yielding roughly four false reports for every real one. The human cost is concrete: a single bogus report can consume multiple people-hours to triage, compounding maintainer burnout already flagged by major surveys. Technically, the failure mode is inherent to LLMs: they pattern-match and generate plausible-sounding research without any grounding or verification in the actual codebase. Attackers or opportunistic submitters exploit volume incentives (a few hits from hundreds of submissions pays off), and mitigation tactics—banning accounts, reputation scoring, or education campaigns—haven’t scaled because account creation is trivial and incentives remain misaligned. Meanwhile the CVE infrastructure is strained: MITRE’s contract lapse and a 32% jump in submissions left NVD massively backlogged (fewer than 300 CVEs analyzed by March 2025, ~30k backlogged, ~42% missing metadata), and prior analyses suggested many CVEs are duplicates or invalid. The net effect is a collapsing signal-to-noise ratio: security teams and scanners can’t reliably prioritize true risk, maintainers are demoralized or quitting, and critical projects face higher systemic risk. This isn’t just inbox spam — it’s an operational and national-security problem that demands redesigned incentives, stronger verification tooling, and systemic fixes to how vulnerabilities are reported and validated.