High-Quality Chaos

Daniel Stenberg, curl's maintainer, describes a new era of AI-assisted security research affecting open source projects. After shutting down curl's bug bounty due to low-quality AI-generated spam submissions, the project moved back to HackerOne in March 2026. The result: report volume doubled again, but quality is now high — confirmed vulnerability rates returned to ~15-16%. Nearly every report now shows signs of AI assistance. A Mastodon poll confirmed the same trend across dozens of major open source projects including Linux kernel, Firefox, git, Django, and many others. Curl alone may publish close to 50 CVEs in 2026, a record. The concern is that maintainer capacity won't keep pace with the flood of valid reports, and that bad actors can use the same AI tools to find vulnerabilities before patches are deployed.