Daniel Stenberg
Don’t Insert Crazy! On cURL and AI Slop - Daniel Stenberg
#1about 1 minute
Why the cURL project shut down its bug bounty program
The bug bounty program was closed due to an overwhelming volume of low-quality, AI-generated security reports that made triage unsustainable.
#2about 4 minutes
Understanding the problem of AI-generated "slop" reports
AI chatbots generate reports with hallucinated vulnerabilities, made-up function names, and false positives based on common C functions like strcpy.
#3about 3 minutes
The high operational cost of managing low-quality submissions
AI-generated reports are often long and elaborate, creating a significant time burden for maintainers who must manually verify each invalid claim.
#4about 7 minutes
Moving vulnerability reporting from HackerOne to GitHub
The new process for reporting vulnerabilities will be through GitHub, without the financial incentives previously provided by the Internet Bug Bounty fund.
#5about 11 minutes
How AI threatens the sustainability of open source projects
AI-generated code can disrupt the open source model by reducing feedback loops, creating licensing ambiguity, and undermining ad-based revenue streams.
#6about 3 minutes
Monetizing open source with commercial support contracts
A sustainable monetization model for foundational projects like cURL involves selling long-term support and expert assistance to businesses that rely on the software.
#7about 3 minutes
Planning for project continuity and the bus factor
The cURL project ensures its longevity through a core team of trusted contributors and a well-documented, open process, mitigating the risk of a single point of failure.
#8about 8 minutes
The future of cURL security without a bounty program
Maintainers are not concerned about a drop in quality reports, as genuine researchers are often motivated by more than money and many reported bugs are historical or API misuse.
#9about 5 minutes
The responsibility of researchers to validate AI findings
Security researchers using AI tools must take responsibility for verifying the claims and reproducing the issues before submitting reports to avoid wasting maintainer time.
#10about 2 minutes
How to spot AI-generated text in issue reports
AI-generated text can often be identified by its excessive length, perfect grammar, overuse of bullet points, and an unusually apologetic tone.
Related jobs
Jobs that call for the skills explored in this talk.
Wilken GmbH
Ulm, Germany
Senior
Kubernetes
AI Frameworks
+3
Matching moments
06:46 MIN
How AI-generated content is overwhelming open source maintainers
WeAreDevelopers LIVE – You Don’t Need JavaScript, Modern CSS and More
05:55 MIN
The security risks of AI-generated code and slopsquatting
Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 2
08:29 MIN
How AI threatens the open source documentation business model
WeAreDevelopers LIVE – AI, Freelancing, Keeping Up with Tech and More
01:06 MIN
Malware campaigns, cloud latency, and government IT theft
Fake or News: Self-Driving Cars on Subscription, Crypto Attacks Rising and Working While You Sleep - Théodore Lefèvre
03:07 MIN
Final advice for developers adapting to AI
WeAreDevelopers LIVE – AI, Freelancing, Keeping Up with Tech and More
02:49 MIN
Using AI to overcome challenges in systems programming
AI in the Open and in Browsers - Tarek Ziadé
03:45 MIN
Preventing exposed API keys in AI-assisted development
Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 2
01:02 MIN
AI lawsuits, code flagging, and self-driving subscriptions
Fake or News: Self-Driving Cars on Subscription, Crypto Attacks Rising and Working While You Sleep - Théodore Lefèvre
Featured Partners
Related Videos
44:20Coffee with Developers - Cassidy Williams -
Cassidy Williams
1:01:44WeAreDevelopers LIVE: Scammer Payback with Python, Grok Goes Unhinged, The Future of Chromium and mo
Dan Cranney, Chris Heilmann & Brian Rountree
1:02:24WeAreDevelopers LIVE – SEO, GEO, AI Slop & More
Chris Heilmann, Daniel Cranney & Simon Cox
1:01:25WeAreDevelopers Live: Browser Extensions, Honey Scam, Jailbreaking LLMs and more
Chris Heilmann & Daniel Cranney
53:46WeAreDevelopers LIVE – AI vs the Web & AI in Browsers
Chris Heilmann, Daniel Cranney & Raymond Camden
59:29Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 2
Chris Heilmann, Daniel Cranney, Sebastian Gingter, Ramona Schwering, Jason Pamental, Francesco Ciulla, Matthias Neumayer, Dima Rubanov, Dayana Mick, Brian Whippo, Elena Torro, Peter Cooper, Alla Pavlova, Marco Podien & Jack Barber
42:55Coffee with Developers with Feross Aboukhadijeh of Socket about the xz backdoor
Feross Aboukhadijeh
59:16Developer Productivity Using AI Tools and Services - Ryan J Salva
Ryan J Salva
Related Articles
View all articles
From learning to earning
Jobs that call for the skills explored in this talk.
Abnormal AI
Intermediate
API
Spark
Kafka
Python
Snyk's Incubation Accelerator
Charing Cross, United Kingdom
Go
Python
Node.js
Microservices
Agile Methodologies
+1
Claire Plais - Domitille Vielle
Eindhoven, Netherlands
API
Azure
React
Django
Python
+8
DeepL
Amsterdam, Netherlands
Remote
.NET
React
Kafka
Node.js
+3