Curl developers have thrown down the gauntlet, saying they will ban all users who use AI to generate and submit security and bug bounty reports.

The open source community has been inundated by “AI slop” or bug and security reports that are generated by AI because the reporter lacks the skill or work ethic to find and document the bug themselves. Unfortunately, AI slop results in a significant uptick in open source maintainers’ workloads, as they first have to wade through a report, waste time trying to duplicate it, only to realize it’s completely useless.

Curl CEO Daniel Stenberg has clearly had enough, posting about it on LinkedIn.

That’s it. I’ve had it. I’m putting my foot down on this craziness.

1. Every reporter submitting security reports on hashtag #Hackerone for hashtag #curl now needs to answer this question:

“Did you use an AI to find the problem or generate this submission?”

(and if they do select it, they can expect a stream of proof of actual intelligence follow-up questions)

2. We now ban every reporter INSTANTLY who submits reports we deem AI slop. A threshold has been reached. We are effectively being DDoSed. If we could, we would charge them for this waste of our time.

We still have not seen a single valid security report done with AI help.

Open source maintainers are already overworked and underpaid, especially considering the invaluable service they render. To then be inundated with time-wasting AI-generated bug reports is simply a bridge too far, and hopefully other projects will follow Curl’s lead. Users who want to contribute should learn how to do so themselves and put in the work.