Curl Project Founder Calls for AI Report Screening Amid Flood of Low-Effort Submissions

In a striking move, Daniel Stenberg, the founder of the widely used curl project, has announced new measures to combat the increasing influx of AI-generated bug reports that he describes as 'slop'—low-effort submissions that waste the time and resources of project maintainers. On April 5, 2024, Stenberg took to LinkedIn to express his frustration, stating that the time required to sift through these AI-assisted vulnerability reports is akin to a DDoS attack on the project. As a result, every new report submitted through HackerOne must now indicate whether it was generated using AI tools. This drastic measure comes after Stenberg encountered a particularly egregious report that claimed to reveal vulnerabilities in the HTTP/3 protocol but turned out to reference non-existent functionalities. He noted that to date, no valid bug report has been generated with the help of AI in the last six years, and the frequency of such low-quality submissions is on the rise. The curl project, reliant on volunteer contributors, can ill afford to spend resources on reports that are fundamentally flawed or fabricated. The situation has echoed sentiments voiced by other developers in the open-source community, notably Seth Larson from Python's security team, who remarked on the emotional toll that handling these low-quality reports takes on maintainers, including confusion, frustration, and potential burnout. The rise of AI tools has enabled individuals, whether inexperienced or seasoned, to submit reports quickly, often masking it as legitimate content. Stenberg's call for action not only targets these AI-assisted reports but also illustrates a larger issue within the ecosystem of bug reporting, where quality has dipped due to the ease of content generation via AI. In reaction to the influx of low-quality reports, Stenberg has implemented an immediate ban on any user whose report is deemed AI-generated 'slop'. He also mentioned his wish for HackerOne to implement stricter measures against such submissions, indicating an appeal for community-wide solutions to this growing problem. The response from the wider tech community has been mixed, with some agreeing with Stenberg's approach as necessary for maintaining the integrity of open-source projects. This situation highlights a critical intersection of technology and community management in software development, questioning how tools can enhance productivity without diluting quality. The curl project, established 26 years ago, now faces a pivotal challenge that could reshape how bug bounty programs are structured and managed across various platforms. The future of open-source development may hinge not just on innovation, but on maintaining the quality of that innovation amidst the rapidly changing landscape of artificial intelligence input.