pull down to refresh

Death by a Thousand Slops | cURL and libcurldaniel.haxx.se/blog/2025/07/14/death-by-a-thousand-slops/
328 sats \ 4 comments \ @0xbitcoiner 21h AI
I have previously blogged about the relatively new trend of AI slop in vulnerability reports submitted to curl and how it hurts and exhausts us.
This trend does not seem to slow down. On the contrary, it seems that we have recently not only received more AI slop but also more human slop. The latter differs only in the way that we cannot immediately tell that an AI made it, even though we many times still suspect it. The net effect is the same.
The general trend so far in 2025 has been way more AI slop than ever before (about 20% of all submissions) as we have averaged in about two security report submissions per week. In early July, about 5% of the submissions in 2025 had turned out to be genuine vulnerabilities. The valid-rate has decreased significantly compared to previous years.
We have run the curl Bug Bounty since 2019 and I have previously considered it a success based on the amount of genuine and real security problems we have gotten reported and thus fixed through this program. 81 of them to be exact, with over 90,000 USD paid in awards.
...read more at daniel.haxx.se
write
preview
related posts
66 sats \ 3 replies \ @optimism 21h
Can attest to the problem: two of my security mailing lists have received slop-only in 2025 thus far. The first few I was nice to the senders, but not anymore.
reply
100 sats \ 1 reply \ @0xbitcoiner OP 21h
I had no idea this was even a thing until I read this blog, or like, I kinda imagined it, but didn’t really know. Developers are wasting precious time for no good reason. Now the innocent gotta pay for the guilty!
reply
132 sats \ 0 replies \ @optimism 21h
Since I'm no longer nice, it wastes about 5 minutes of my time per email and at the moment it's just a couple per month, so it's not that bad (yet.)
The increase in people that delude themselves that they are cybersecurity experts because they made an AI persona is the most worrying aspect of this. Especially since at the same time they themselves don't understand how awfully bad the code is their AI personas spit out.
reply
111 sats \ 0 replies \ @ek 20h
We also received AI slop as responsible disclosures on Github
reply