Daniel Stenberg
Don’t Insert Crazy! On cURL and AI Slop - Daniel Stenberg
#1about 1 minute
Why the cURL project shut down its bug bounty program
The bug bounty program was closed due to an overwhelming volume of low-quality, AI-generated security reports that made triage unsustainable.
#2about 4 minutes
Understanding the problem of AI-generated "slop" reports
AI chatbots generate reports with hallucinated vulnerabilities, made-up function names, and false positives based on common C functions like strcpy.
#3about 3 minutes
The high operational cost of managing low-quality submissions
AI-generated reports are often long and elaborate, creating a significant time burden for maintainers who must manually verify each invalid claim.
#4about 7 minutes
Moving vulnerability reporting from HackerOne to GitHub
The new process for reporting vulnerabilities will be through GitHub, without the financial incentives previously provided by the Internet Bug Bounty fund.
#5about 11 minutes
How AI threatens the sustainability of open source projects
AI-generated code can disrupt the open source model by reducing feedback loops, creating licensing ambiguity, and undermining ad-based revenue streams.
#6about 3 minutes
Monetizing open source with commercial support contracts
A sustainable monetization model for foundational projects like cURL involves selling long-term support and expert assistance to businesses that rely on the software.
#7about 3 minutes
Planning for project continuity and the bus factor
The cURL project ensures its longevity through a core team of trusted contributors and a well-documented, open process, mitigating the risk of a single point of failure.
#8about 8 minutes
The future of cURL security without a bounty program
Maintainers are not concerned about a drop in quality reports, as genuine researchers are often motivated by more than money and many reported bugs are historical or API misuse.
#9about 5 minutes
The responsibility of researchers to validate AI findings
Security researchers using AI tools must take responsibility for verifying the claims and reproducing the issues before submitting reports to avoid wasting maintainer time.
#10about 2 minutes
How to spot AI-generated text in issue reports
AI-generated text can often be identified by its excessive length, perfect grammar, overuse of bullet points, and an unusually apologetic tone.
Related jobs
Jobs that call for the skills explored in this talk.
IGEL Technology GmbH
Bremen, Germany
Senior
Java
IT Security
Matching moments
06:46 MIN
How AI-generated content is overwhelming open source maintainers
WeAreDevelopers LIVE – You Don’t Need JavaScript, Modern CSS and More
06:10 MIN
AI jailbreaking techniques and open source burnout
WeAreDevelopers Live: Browser Extensions, Honey Scam, Jailbreaking LLMs and more
10:00 MIN
Defending the open web and shaping future browser APIs
WeAreDevelopers LIVE – Guten TAG, Web Standards, AI and more
08:41 MIN
Recent news on security, AI governance, and data privacy
WeAreDevelopers LIVE - Dapr / Pixels and Generative Art / Open Source and Communities / and more
02:33 MIN
Accelerating impact and combating open source maintainer burnout
The Road to One Billion Developers
05:55 MIN
The security risks of AI-generated code and slopsquatting
Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 2
03:57 MIN
The crisis of open source developer sustainability
The Future of Open Source
02:42 MIN
Challenges of reviewing AI-generated open source contributions
WeAreDevelopers LIVE – Spicy Vanilla Web, CSS Magic & More
Featured Partners
Related Videos
44:20Coffee with Developers - Cassidy Williams -
Cassidy Williams
1:01:44WeAreDevelopers LIVE: Scammer Payback with Python, Grok Goes Unhinged, The Future of Chromium and mo
Dan Cranney, Chris Heilmann & Brian Rountree
1:02:24WeAreDevelopers LIVE – SEO, GEO, AI Slop & More
Chris Heilmann, Daniel Cranney & Simon Cox
1:01:25WeAreDevelopers Live: Browser Extensions, Honey Scam, Jailbreaking LLMs and more
Chris Heilmann & Daniel Cranney
53:46WeAreDevelopers LIVE – AI vs the Web & AI in Browsers
Chris Heilmann, Daniel Cranney & Raymond Camden
59:29Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 2
Chris Heilmann, Daniel Cranney, Sebastian Gingter, Ramona Schwering, Jason Pamental, Francesco Ciulla, Matthias Neumayer, Dima Rubanov, Dayana Mick, Brian Whippo, Elena Torro, Peter Cooper, Alla Pavlova, Marco Podien & Jack Barber
42:55Coffee with Developers with Feross Aboukhadijeh of Socket about the xz backdoor
Feross Aboukhadijeh
59:16Developer Productivity Using AI Tools and Services - Ryan J Salva
Ryan J Salva
Related Articles
View all articles
From learning to earning
Jobs that call for the skills explored in this talk.
Abnormal AI
Intermediate
API
Spark
Kafka
Python
Castor
Stadskanaal, Netherlands
Remote
Intermediate
ETL
Python
Catalyst
Kubernetes
+1
DeepL
Amsterdam, Netherlands
Remote
.NET
React
Kafka
Node.js
+3