Curl Cracks Down on AI-Generated “Slop” Bug Reports: A DDoS of Wasted Time?
Daniel Stenberg, the founder of the popular curl project, has reached his breaking point with the influx of low-quality, AI-generated bug reports. Frustrated by the time wasted on triaging these often-invalid submissions, Stenberg has implemented a new policy requiring bug reporters on HackerOne to disclose whether AI was used in generating their reports. This move comes as a response to what Stenberg describes as a "DDoS attack" on project maintainers' time.
The core issue, as Stenberg explains, lies in the fact that these AI-assisted reports, while often sounding plausible at first, ultimately turn out to be baseless. He recounts a recent report that "pushed [him] over the limit," detailing a supposed exploit in the HTTP/3 protocol stack that referred to nonexistent functions. This incident highlighted the concerning trend of AI hallucinating details, wasting valuable time for the volunteer specialists who maintain open-source projects like curl.
"We now ban every reporter instantly who submits reports we deem AI slop," Stenberg declared. "A threshold has been reached. We are effectively being DDoSed. If we could, we would charge them for this waste of our time." He emphasizes that, to date, the project has not received a single valid bug report generated using AI assistance.
This sentiment is echoed by others in the open-source community. Seth Larson of the Python Software Foundation raised similar concerns, noting that responding to these AI-generated reports is "expensive and time-consuming" due to their initial appearance of legitimacy. Larson warns that such low-quality reports can lead to burnout among highly trusted contributors.
Stenberg's frustration isn't new. He raised the issue earlier in January 2024, criticizing the "crap reports" generated by AI tools like Google Bard (now Gemini). The problem, he argues, is that these reports look legitimate at first glance but ultimately consume valuable time as maintainers try to disentangle fact from fiction. The new checkbox on HackerOne is designed to filter out these low-effort submissions, allowing the curl team to focus on genuine security vulnerabilities.
In an interview with Ars, Stenberg expressed hope that the increased attention to this issue will prompt HackerOne to take stronger action and provide maintainers with "more tools to strike down this behavior." He also mentioned a report where the submitter accidentally pasted their prompt, ending with, "and make it sound alarming." This sheds light on the intention behind using AI in bug reporting: hoping to quickly cash in potential bounty rewards.
The implementation of this new policy isn't just about saving time; it's about protecting the well-being of the individuals who dedicate their time and expertise to maintaining critical open-source projects. Curl, with its vast user base and a bug bounty program offering up to $9,200 for critical vulnerabilities, is a prime target for these AI-driven attempts. With over 3,379 individual contributors since its inception in 1998, the project relies on a collaborative effort to ensure its security and stability.
Is this a turning point in how open-source projects handle AI-generated content, or just the beginning of a larger battle against the rising tide of AI “slop”? Share your thoughts and experiences in the comments below. Let's discuss the future of bug reporting in an AI-driven world.
Can you Like
