CURL's Daniel Stenberg: AI slop is DDoSing open source
3 hours ago
- #AI
- #Open Source
- #Security
- Daniel Stenberg, creator of cURL, discusses AI's dual impact on open source: enabling bogus security reports and uncovering deep bugs.
- cURL's bug bounty program was overwhelmed by AI-generated 'slop' reports, leading to its shutdown to remove financial incentives for low-quality submissions.
- AI tools have helped cURL find and fix over 100 bugs, reasoning across protocols and specs in ways traditional tools couldn't.
- Stenberg uses AI review bots for pull requests but remains skeptical of AI-generated production code, likening AI suggestions to an 'eager junior'.
- AI-generated contributions don't change cURL's legal risk model, as the project has always trusted contributors' rights to submit code.
- Stenberg highlights the broader open source challenge: large companies using AI to find bugs but not providing patches or funding for fixes.
- He urges projects to experiment with defenses against spammy AI reports and scrapers, suggesting vetted-reporter 'secret clubs'.
- Stenberg's message emphasizes human choice in using AI for good (improving security) or bad (flooding projects with low-quality reports).