daniel:// stenberg://1d ago

If your Open Source project sees a steep increase in number of high quality security reports (mostly done with AI) right now (#curl, Linux kernel, glibc confirmed) please tell me the name of this project.

(I'd like to make a little list for my coming talk on this.)

Show threadfightbackman1d ago
@bagder reverse question: do you/anyone know which tooling they are using to generate high quality reports and findings?
Show threaddaniel:// stenberg://
@fightbackman no, but my impression is that a lot of it is made with Claude code and various adaptations on top of that
Apr 7 at 6:56amWeb
Show threadgoedelchen1d ago

@bagder @fightbackman So Carlini, the Anthropic guy, is not just a salesman? Serious question.

For me it's still open how much of a flood of reports should be expected.

Show threadBjörn1d ago
@bagder @fightbackman Is there any indication to use open source ai models instead? I don't think dependencies against closed source software are good. Would those projects accept reports of these kinds of models? I imagine if we would take other development software there wouldn't be an argument about this.
Show threaddaniel:// stenberg://1d ago
@thaodan @fightbackman we're talking about reports created by tools. I'm sure most people would be happy if good reports where made with open source tools sure, but a report is a report, a bug is a bug. When someone reports a bug against my project, I care about fixing it. I don't complain about the tool used to find it.
Show threadfightbackman1d ago
@bagder @thaodan I think we can be happy to get reports with some actual value which don't burn out/waste the time of the maintainers.
This is what we can be happy about nowdays. If this in the end is a good or bad thing how these reports are generated is beyond my knowledge or wisdom to have a clear opinion. Time will tell.