The project developer for one of the Internet’s most popular networking tools is scrapping its vulnerability reward program after being overrun by a spike in the submission of low-quality reports, much of it AI-generated slop.
“We are just a small single open source project with a small number of active maintainers,” Daniel Stenberg, the founder and lead developer of the open source app cURL, said Thursday. “It is not in our power to change how all these people and their slop machines work. We need to make moves to ensure our survival and intact mental health.”
For anyone doubting the extent of the slop problem, Daniel is on Mastodon and is very open about the slop reports he encountered. He even tried to get input from other OSS maintainers about what could be done to reduce the cognitive burden when receiving such reports. The thing is, even if an AI slop report is easy to identify, it still takes several minutes out of someone’s day to respond, wait for the submitter to retract their submission or double down, and THEN ban them, because that’s their SOP on HackerOne. And that doesn’t even include the cost of switching contexts. When you are likely to receive dozens of these per day, that’s a significant portion of your time being wasted.