daniel:// stenberg://19h ago

If your Open Source project sees a steep increase in number of high quality security reports (mostly done with AI) right now (#curl, Linux kernel, glibc confirmed) please tell me the name of this project.

(I'd like to make a little list for my coming talk on this.)

Show threaddaniel:// stenberg://

Apache httpd, curl, Django, Firefox, glibc, GnuTLS, Haproxy, libssh, Linux kernel, python, Temporal, Wireshark, wolfSSL

More?

Apr 7 at 8:15amWeb
Show threaddaniel:// stenberg://15h ago

Updated:

Apache httpd, curl, Django, Elasticsearch Python client, Firefox, git, glibc, GnuTLS, Haproxy, Immich, libssh, Linux kernel, OpenLDAP, PowerDNS, python, Sequoia PGP, Temporal, urllib3, Wireshark, wolfSSL

We can say with certainty that this is widespread.

Show thread🪨14h ago
@bagder I'd be curious to see how many projects see a positive change, vs projects still suffering from slop reports. It would be interesting to have a larger sample over time, and see if there are some turning points that can be attributed to specific models or tools being released.
Show threadhsbt14h ago
@bagder Ruby
Show threadAnders Thoresson13h ago
@bagder Det här gör mig intresserad! Var kommer du hålla den här presentationen?
Show threaddaniel:// stenberg://13h ago
@anders foss-north: https://foss-north.se/2026/speakers-and-talks.html#dstenberg
foss-north 2026

Show threadEven Rouault13h ago
@bagder libtiff too, with some gems like https://gitlab.com/libtiff/libtiff/-/work_items/814
Heap buffer overflow in TIFFClientOpenExt via TOCTOU race between strlen and strcpy on caller-supplied filename (#814) · Issues · libtiff / libtiff · GitLab

Summary A time-of-check-to-time-of-use (TOCTOU) race condition in TIFFClientOpenExt() (libtiff/tif_open.c) causes a heap buffer overflow when the name argument points to a shared mutable buffer that is concurrently...

GitLab
Show threadkby9h ago
@EvenRouault @bagder Is this what’s meant with high-quality? Long inflationary description of a minor to practically non-existent vulnerability?
Show threadBrændꜵn Mollɔy 13h ago

@bagder random anecdote tangentially related but I needed to debug a binary on Windows with no source. Claude used nothing but deno as a disassembler and found the exact issue (an async flag where it shouldn’t be and misuse of win32) which saved me hours waiting for the client to “maybe” give me the source.

Claude can be used very well for security work in the right hands.

Show threadRené Dudfield3h ago

@bagder

The next months I will call the-open source--security-apocalypse-dark-times (of death).

Because I wanted a cheerful name that makes it not seem as bad as it is. /s

Show threadscrewlisp17h ago
@bagder are you asking for negative reports as well?
Show threadClemens17h ago
@bagder Pretty sure if you ask the OpenSSL people directly they can also attest. @mold maybe?
Show threadFrederik Braun �16h ago
@bagder every browser, every library that does media parsing, compression, …
Show threadHoward Chu @ Symas16h ago

@bagder OpenLDAP is seeing more AI-assisted bug reports that claim to be security issues, but aren't.

E.g., calling a crash in a commandline tool a DoS (no, it's not a service).

Show threaddaniel:// stenberg://15h ago
@hyc yeps, the tools still have a hard time to distinguish between bugs and security reports but at least they are nowadays often accurately identifying real flaws, even if not vulnerabilities
Show threadHoward Chu @ Symas15h ago

@bagder the other one we see is calling assert failures crashes. It's not a SEGV, there's no possibility of data exfiltration or RCE. There's no security exposure, it's just a bug. One that was anticipated hypothetically by the original developer, but whose final disposition wasn't decided upon way back when.

E.g. /* can this even happen? */

They toss in an assert, and it lives quietly in the code for decades before someone definitively shows yes, it can happen...

Show threaddaniel:// stenberg://15h ago
@hyc sure, but to me that goes into the gray area category where we always argue with reporters: what's a security problem and what is not. Debates done since the dawn of time. AI tools or not.
Show threadCassandrich15h ago
@hyc @bagder An assert failure controlled by data from a different privilege domain is a DoS/data loss vuln. The meaning of assert is documenting that you believe something can't happen under the intended usage.
Show threadHoward Chu @ Symas14h ago
@dalias it's a DoS but not the same as an actual crash, which is unanticipated. There is zero security exposure from an assert failure: no data leak, no unauthorized access, no possibility of code injection. The trigger conditions are clearly spelled out in the assert itself, so it's trivially remedied. Calling it a security issue dilutes the word "security" to meaninglessness.
Show threadCassandrich13h ago
@hyc Not all security issues are code execution. Generally this kind of issue is much lower-severity, but it can cause loss of unsaved data or corruption of existing data by leaving it in an inconsistent state at termination. CVEs are still assigned for DoS vulns.
Show threadHoward Chu @ Symas13h ago
@dalias in general, I suppose so. For OpenLDAP, we only consider something a security issue if it results in someone getting unauthorized access to data. Anything else is just an ordinary bug, and since our LMDB database guarantees ACID transactions, crashes can't leave data in an inconsistent state so that's a non-issue.
Show threaddaniel_ferradal_marquez12h ago
@bagder not long ago you were reporting, and rightly so, the amount of slop you were receiving, now, in a short time span, you are reporting have changed to the opposite. Why do you think this is? Someone got the message?
Show threadAdam Barnett4h ago

@daniel_ferradal_marquez @bagder I imagine there’s no decrease in the amount of slop reports though? Just an increase in the number of apparently high quality reports.

Interesting to see this the same day this got announced: https://www.anthropic.com/glasswing

Project Glasswing: Securing critical software for the AI era

A new initiative to secure the world’s most critical software and give defenders a durable advantage in the coming AI-driven era of cybersecurity.