Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload.

Ask yourself what you do to make the situation better.

Make sure your employer does as well.

AIs have been finding bugs and vulnerabilities in #curl for some time.

Is it work to fix those? Yes.

Has someone paid for this? Partially (wolfSSL and @sovtechfund)

Are the AIs annoying? Yes, very.

Could humans find the same bugs? Yes, if they‘d somehow avoid being bored to death through it.

Was there something „heartbleed“ like? No.

Were there lots of C mistakes? No, logic bugs mostly.

Do AIs run out of steam? Yes. After a while a model stops finding things. Findings differ per model.

PSA: Please don't forget your `--fail` option to #curl when developing scripts and cron jobs.

#SysAdmin

#curl's hackerone "portal" has been open 74 days this year, during which we have received 92 reports.

That's one new report every 20 hours. Last year we got one every 48 hours, but then the quality was also much worse.

Every report takes a few hours to deal with.

The reports are often high quality and identify problems, but only some of them *security problems*.

The problem here is not AI. Just good old overloading a few with so much work.

The AIs are not good enough to fix the issues.

If your Open Source project sees a steep increase in number of high quality security reports (mostly done with AI) right now (#curl, Linux kernel, glibc confirmed) please tell me the name of this project.

(I'd like to make a little list for my coming talk on this.)

There is virtually **no** AI slop security reports anymore submitted about #curl. They don't seem to happen any longer.

Almost everyone still uses AI though.