Daniel Stenberg

Don’t Insert Crazy! On cURL and AI Slop - Daniel Stenberg

After AI-generated reports dropped the signal-to-noise ratio to less than one in twenty, the creator of cURL shut down his bug bounty program.

Don’t Insert Crazy! On cURL and AI Slop - Daniel Stenberg
#1about 1 minute

Why the cURL project shut down its bug bounty program

The bug bounty program was closed due to an overwhelming volume of low-quality, AI-generated security reports that made triage unsustainable.

#2about 4 minutes

Understanding the problem of AI-generated "slop" reports

AI chatbots generate reports with hallucinated vulnerabilities, made-up function names, and false positives based on common C functions like strcpy.

#3about 3 minutes

The high operational cost of managing low-quality submissions

AI-generated reports are often long and elaborate, creating a significant time burden for maintainers who must manually verify each invalid claim.

#4about 7 minutes

Moving vulnerability reporting from HackerOne to GitHub

The new process for reporting vulnerabilities will be through GitHub, without the financial incentives previously provided by the Internet Bug Bounty fund.

#5about 11 minutes

How AI threatens the sustainability of open source projects

AI-generated code can disrupt the open source model by reducing feedback loops, creating licensing ambiguity, and undermining ad-based revenue streams.

#6about 3 minutes

Monetizing open source with commercial support contracts

A sustainable monetization model for foundational projects like cURL involves selling long-term support and expert assistance to businesses that rely on the software.

#7about 3 minutes

Planning for project continuity and the bus factor

The cURL project ensures its longevity through a core team of trusted contributors and a well-documented, open process, mitigating the risk of a single point of failure.

#8about 8 minutes

The future of cURL security without a bounty program

Maintainers are not concerned about a drop in quality reports, as genuine researchers are often motivated by more than money and many reported bugs are historical or API misuse.

#9about 5 minutes

The responsibility of researchers to validate AI findings

Security researchers using AI tools must take responsibility for verifying the claims and reproducing the issues before submitting reports to avoid wasting maintainer time.

#10about 2 minutes

How to spot AI-generated text in issue reports

AI-generated text can often be identified by its excessive length, perfect grammar, overuse of bullet points, and an unusually apologetic tone.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

How AI-generated content is overwhelming open source maintainers
06:46 MIN

How AI-generated content is overwhelming open source maintainers

WeAreDevelopers LIVE – You Don’t Need JavaScript, Modern CSS and More

Exploring recent AI incidents and creative developer hacks
06:44 MIN

Exploring recent AI incidents and creative developer hacks

WeAreDevelopers LIVE - SpeculAItions

Debating crypto trojans, robot training data, and AI file indexing
01:12 MIN

Debating crypto trojans, robot training data, and AI file indexing

Training Bots on Deliveroo Data, Alexa Can Swear and Mushroom Electronics - Julia Kordick

AI jailbreaking techniques and open source burnout
06:10 MIN

AI jailbreaking techniques and open source burnout

WeAreDevelopers Live: Browser Extensions, Honey Scam, Jailbreaking LLMs and more

Defending the open web and shaping future browser APIs
10:00 MIN

Defending the open web and shaping future browser APIs

WeAreDevelopers LIVE – Guten TAG, Web Standards, AI and more

Accelerating impact and combating open source maintainer burnout
02:33 MIN

Accelerating impact and combating open source maintainer burnout

The Road to One Billion Developers

The security risks of AI-generated code and slopsquatting
05:55 MIN

The security risks of AI-generated code and slopsquatting

Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 2

The crisis of open source developer sustainability
03:57 MIN

The crisis of open source developer sustainability

The Future of Open Source

Featured Partners

Related Videos

See all videos
WeAreDevelopers LIVE - Markdown, Liquid and Checkouts55:37

WeAreDevelopers LIVE - Markdown, Liquid and Checkouts

Chris Heilmann, Daniel Cranney & Kumar McMillan

Coffee with Developers - Cassidy Williams - 44:20

Coffee with Developers - Cassidy Williams -

Cassidy Williams

WeAreDevelopers LIVE: Scammer Payback with Python, Grok Goes Unhinged, The Future of Chromium and mo1:01:44

WeAreDevelopers LIVE: Scammer Payback with Python, Grok Goes Unhinged, The Future of Chromium and mo

Dan Cranney, Chris Heilmann & Brian Rountree

WeAreDevelopers LIVE – SEO, GEO, AI Slop & More1:02:24

WeAreDevelopers LIVE – SEO, GEO, AI Slop & More

Chris Heilmann, Daniel Cranney & Simon Cox

WeAreDevelopers LIVE – AI vs the Web & AI in Browsers53:46

WeAreDevelopers LIVE – AI vs the Web & AI in Browsers

Chris Heilmann, Daniel Cranney & Raymond Camden

WeAreDevelopers Live: Browser Extensions, Honey Scam, Jailbreaking LLMs and more1:01:25

WeAreDevelopers Live: Browser Extensions, Honey Scam, Jailbreaking LLMs and more

Chris Heilmann & Daniel Cranney

Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 259:29

Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 2

Chris Heilmann, Daniel Cranney, Sebastian Gingter, Ramona Schwering, Jason Pamental, Francesco Ciulla, Matthias Neumayer, Dima Rubanov, Dayana Mick, Brian Whippo, Elena Torro, Peter Cooper, Alla Pavlova, Marco Podien & Jack Barber

Coffee with Developers with Feross Aboukhadijeh of Socket about the xz backdoor42:55

Coffee with Developers with Feross Aboukhadijeh of Socket about the xz backdoor

Feross Aboukhadijeh

Related Articles

View all articles
DC
Daniel Cranney
Dev Digest 201: Don't Stop Thinking, AI Slop vs. OSS Security, Rank Things
Inside last week’s Dev Digest 201 . 🧠 Despite AI you still need to think πŸ‹ Bitter lessons from building AI products πŸ€– AI Slop vs. OSS security πŸ“± Cloning tap-to-pay on Android πŸ€‘ Saving $500k/year by re-inventing S3 πŸ“„ AI reads manuals πŸŽ₯ Automating FFM...
Dev Digest 201: Don't Stop Thinking, AI Slop vs. OSS Security, Rank Things
DC
Daniel Cranney
Dev Digest 204: Agentic AI Book, Creepy Links & Time to Ditch Projects
Inside last week’s Dev Digest 204 . πŸ“˜ The Agentic AI Handbook πŸ’» Writing a browser with AI πŸ‘” LinkedIn Job Scams πŸ”— The 2025 Web Almanac πŸ“ˆ A cross-browser performance testing agent πŸ’¨ How Python’s packaging library got 3x faster 🫣 Create creepy links an...
Dev Digest 204: Agentic AI Book, Creepy Links & Time to Ditch Projects
DC
Daniel Cranney
Dev Digest 205: AI vs. OSS, Hidden ChatGPT Features, Linux in a PDF
Inside last week’s Dev Digest 205 . πŸ˜” The end of the curl bug bounty πŸ“ Agent Skills vs. Rules vs. Commands πŸ’¬ The best hidden ChatGPT features πŸ“… Weaponising calendar invites πŸŸͺ CSS in 2026 🐍 Python numbers you should know πŸ‘¨β€πŸ’» The Github Copilot SDK πŸ’» ...
Dev Digest 205: AI vs. OSS, Hidden ChatGPT Features, Linux in a PDF

From learning to earning

Jobs that call for the skills explored in this talk.

AI Engineer

AI Engineer

The Source

Senior
Azure
Python
Docker
Kubernetes
Machine Learning
+2
AI Engineer

AI Engineer

scrumconnect ltd

API
DevOps
Microservices
Speech Recognition
Continuous Integration