Daniel Stenberg reported a significant rise in bogus bug submissions attributed to generative AI tools, coining the term "AI slop". Approximately 20 percent of submissions in 2025 have been classified as such, leading to a valid submission rate of only 5 percent. Stenberg is reconsidering the future of curl's bug bounty program, which has distributed $90,000 since 2019, primarily due to the overwhelming number of low-quality reports. The existing policy encourages reporters to disclose the use of AI for submissions but does not ban them entirely.
The general trend so far in 2025 has been way more AI slop than ever before (about 20 percent of all submissions) as we have averaged about two security report submissions per week.
In early July, about 5 percent of the submissions in 2025 had turned out to be genuine vulnerabilities. The valid-rate has decreased significantly compared to previous years.
The situation has prompted Stenberg to reevaluate whether to continue curl's bug bounty program, which he says has paid out more than $90,000 for 81 awards since its inception in 2019.
You should check and double-check all facts and claims any AI told you before you pass on such reports to us. You are normally much better off avoiding AI.
Collection
[
|
...
]