cURL maintainer: "Fed up" – because of AI bug reports

Daniel Stenberg, maintainer of the well-known and powerful web tool cURL, has a well-known aversion to AI-supported error reports. Now, however, he is "fed up" with it and is starting to pull the ripcord.

Once again, it's about bug reports created with artificial intelligence that were submitted via the bug bounty platform Hackerone, for example. "That's it. I've had enough. I'm putting my foot down about this madness," Stenberg currently writes on LinkedIn.

Bug hunters must declare whether they have used AI

Stenberg explains that from now on, anyone who submits a bug report on Hackerone will have to answer a question: "Did you use AI to find the problem or create this submission?". Those who check the box can expect a lot of questions to prove that actual intelligence is involved.

"From now on, we will immediately ban any reporter who submits reports that we deem to be AI garbage. A line has been crossed. We are effectively beingDDoSt. If we could, we would bill them for wasting our time," Stenberg continues. "We have yet to see a single valid security report created using AI assistance."

On Mastodon, the cURL developer posted a screenshot of the new question on Hackerone. The trigger for the current measure was a bug report on Hackerone, which allegedly dealt with security problems in a function that does not even exist in cURL – the AI used to generate the report apparently hallucinated it. This was the straw that broke the camel's back.

In January 2024, Stenberg caused quite a stir with a clear rant. He cursed at the "crap reports" from AI, which, unlike the "garbage reports" that had apparently been submitted more often before, were harder to recognize as nonsense and took up a lot of time. Fortune hunters had their reports formulated by the AI and made to look better so that they appeared to hit a sore spot.

(dmk)