Mastodawn

The security reporting situation that I see at the ASF and in #curl is

- huge increase in reports
- increase of valid reports
- appearance of duplicate/triplicate reports of the same issue by different people

A high profile project needs to deal with 2-4 new reports each day. This is nuts.

One *may* hope this to go down again later this year bc
- unhallucinated issues are finite (see the fuzzing wave)
- eventually it will cost real money to generate these reports

Show thread

Elias Probst

@icing if those valid reports are based on tool (LLM?) usage, there's a case to be made to improve languages/frameworks/pre-commit analysis to catch those earlier in the future and to reduce the post-release noise & efforts.