daniel:// stenberg://There is virtually **no** AI slop security reports anymore submitted about #curl. They don't seem to happen any longer.
Almost everyone still uses AI though.
Viss@Viss we went back to h1. I think primarily because the AI tooling got a lot better.
@bagder oh! interesting! did h1 implement any guard rails at all since or did they mention anything to you? i wager a torrrent of negative press about how they just let slop reports through probably put a dent in their revenue stream
@Viss they've done some minor tweaks, but I can't see how anything they've done is any factor here
Josh Bressers@joshbressers @bagder i have a buuuuuunch of research in working on, and the title of the talk is 'claude is your insider threat now'. fingers crossed securityfest and sec-t let me in :D
@joshbressers @bagder llms are at 'bad adhd intern levels now', it feels like, versus hallucinatory and outright intentional disinformation
Stefan Eissing@joshbressers @Viss @bagder It‘s a lot about edge cases in API use and things involving ‚malicious servers‘ - which…yeah, it‘s security, but…
Maryam Sheikh@joshbressers @Viss @bagder LLMs have been used to find security issues with a lot of success, though usually they're used more like static analyzers: https://daniel.haxx.se/blog/2025/10/10/a-new-breed-of-analyzers/
A new breed of analyzers
(See how I cleverly did not mention AI in the title!) You know we have seen more than our fair share of slop reports sent to the curl project so it seems only fair that I also write something about the state of AI when we get to enjoy some positive aspects of this technology. … Continue reading A new breed of analyzers →
@mahid @joshbressers @bagder even still, if the human driving the thing around is a ponce and doesnt know shit, thats how you get slop into security reports. llms will happily give you "code that compiles", but is thousands of times less efficient than human code, and often made of elegantly construed bullshit - so unless theres an expert at the helm, shit goes bad fast.
Timo Tijhof
🪨@bagder This is great news, but how much extra work and attention do these bug reports submitted as security reports give you, compared to having them as issues on GitHub? I see that most of the recent reports are non applicable as security reports, and while they may now all find real issues (of varying degrees), I assume security reports still take a higher priority and more attention for the team?
@Varpie yeah, the challenge is that they are *suspected* vulnerabilities which forces us to keep them secret while being assessed, and that is what makes them specially burdensome.
tyzbit
katalogeur@bagder
I'm still charging $50/hour to use AI. So far they all declined.
I'm still charging $50/hour to use AI. So far they all declined.
the esoteric programmer@bagder what do you think caused the people submitting those reports to suddenly not do that anymore?
muddle
Stan@bagder I don't believe your mystical tales;-) Python still gets the likes of "CRITICAL 0-DAY: Python ctypes Memory Corruption" :-/
@stanfromireland @bagder I wonder if Daniel's complaints became popular enough, that the AIs now give curl some special treatment. Just to avoid bad publicity. (But then, if the vendors were able to tune the AIs so they don't send slop reports to curl, why should they limit that treatment to curl? Does it consume significantly more resources to detect invalid reports?)
@jannic @stanfromireland as can be seen in my timeline today, there are *PLENTY* other projects seeing the same trend. It's everywhere.