daniel:// stenberg://

2 months ago

daniel:// stenberg://
2 months ago

So far in 2025, we have received 52 vulnerability reports submitted to #curl. Two per week on average.

5 have been confirmed security problems (and have been published)

11 were tagged AI slop; all banned and reported to HackerOne

15 were considered "normal bugs"

21 were deemed "not applicable" (various reasons)

#curl

in reply to daniel:// stenberg://

Jacob Garber

in reply to daniel:// stenberg:// 2 months ago

IIRC all submissions must now state if they used AI when creating the reports. Has that changed the number of bogus AI submissions?

in reply to Jacob Garber

daniel:// stenberg://

in reply to Jacob Garber 2 months ago

@jwgarber maybe. I think it's too early to tell for sure. They have not stopped but maybe they slowed down.

@Jacob Garber

in reply to daniel:// stenberg://

Daniel Appelquist

in reply to daniel:// stenberg:// 2 months ago

is that sustainable? Are there "best practices" you can share for identifying the "AI slop"?

in reply to Daniel Appelquist

daniel:// stenberg://

in reply to Daniel Appelquist 1 month ago

there's no perfect way but humans are good at detecting when things are slightly "off" : too polite, too many bullet point lists, usually not specific enough. When asked to clarify it still is vague and way politer than humans normally are. Etc

This entry was edited (1 month ago)

in reply to daniel:// stenberg://

Stefan Eissing

in reply to daniel:// stenberg:// 1 month ago

@torgo The lack of swear words and nudity is always the biggest giveaway. 💁🏻‍♂️

@Daniel Appelquist

in reply to daniel:// stenberg://

Harry Sintonen

in reply to daniel:// stenberg:// 2 months ago

I still consider this a vulnerability. sintonen.fi/advisories/curl-ss…

in reply to daniel:// stenberg://

Nico Cartron

in reply to daniel:// stenberg:// 2 months ago

that's not **that** bad, i was expecting a lot more of category #2 (AI slop)

⇧

daniel:// stenberg:// 2 months ago • •

daniel:// stenberg://
2 months ago