AI slop got better, so now maintainers have more work
(2026/04/07)
- Reference: 1775513792
- News link: https://www.theregister.co.uk/2026/04/06/ai_coding_tools_more_work/
- Source link:
If AI does more of the work but humans still have to check it, you need more reviewers. Now that AI models have gotten better at writing and evaluating code, open-source projects find themselves overwhelmed with the too-good-to-ignore output.
For the curl project, that has meant less AI slop and more demand upon maintainers who have to evaluate more plausible vulnerability reports.
"Over the last few months, we have stopped getting AI slop security reports in the [1]curl project," said Daniel Stenberg, founder and lead developer of curl, in a social media [2]post . "They're gone. Instead, we get an ever-increasing amount of really good security reports, almost all done with the help of AI."
[3]
The reports, said Stenberg, are being submitted faster than ever before and are imposing a growing workload on maintainers.
[4]
[5]
According to Stenberg, the situation is similar for other open source maintainers.
Linux kernel maintainer Greg Kroah-Hartman recently [6]noted how AI-assisted bug reports contained less slop and more valid concerns. He said that the Linux team has been trying to deal with the increased volume, but implied that smaller teams might be struggling.
[7]
Even if the reports are better, the issues being identified aren't necessarily security flaws that can be exploited and need to be corrected. As evidence, Stenberg points to curl's [8]public list of closed reports . Most of the reports have been closed because the issue isn't a serious threat, even if it might be something worth correcting.
For example, a data race in a curl library was [9]initially discussed as an issue that might get a CVE. But it was eventually fixed in [10]a pull request , with the bug deemed to be simply "informative."
[11]If an AI agent screws up while running your business, there's nobody to sue
[12]Patch to end i486 support hits Linux kernel merge queue
[13]Anthropic closes door on subscription use of OpenClaw
[14]AI will make anyone a 10x programmer, but with 10x the cleanup
Stenberg, back in 2024, called out [15]the problem of AI slop bug reports and, earlier this year, went so far as to [16]stop paying awards for curl vulnerability reports. His goal was to remove the incentive to submit erroneous or unsubstantiated reports, whether those came from automated systems designed to maximize financial gain while minimizing effort or from people using AI tools who shirked their obligation to check the AI's work.
Other organizations have taken similar steps, most recently the Internet Bug Bounty program, which said it would stop issuing monetary awards for vulnerabilities at the end of March.
"The discovery landscape is changing," the program maintainers said in an [17]announcement that also shuttered the Node.js [18]vulnerability award program . "AI-assisted research is expanding vulnerability discovery across the ecosystem, increasing both coverage and speed. The balance between findings and remediation capacity in open source has substantively shifted. We have a responsibility to the community to ensure this program effectively accomplishes its ambitious dual purpose: discovery and remediation. Accordingly, we are pausing submissions while we consider the structure and incentives needed to further these goals."
[19]
Linux maintainer Willy Tarreau [20]responded to Stenberg's post by noting that the Linux kernel team has had a similar experience to those working on curl. He argues that more needs to be asked of those making bug reports.
"It's time to update the reporting rules to reduce the overhead by making the LLM+reporter do a larger share of the work to reduce the time spent triaging," he said.
Capable AI tooling doesn't increase the capabilities of the humans in the loop. Much of the notional productivity gain from AI may just be AI tool users moving the cost of code review off the books. ®
Get our [21]Tech Resources
[1] https://www.linkedin.com/search/results/all/?keywords=%23curl&origin=HASH_TAG_FROM_FEED
[2] https://www.linkedin.com/posts/danielstenberg_hackerone-activity-7446667043996725249-ZhEU
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2adSBYSGF2MtBXCJKp-OLhwAAAE4&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44adSBYSGF2MtBXCJKp-OLhwAAAE4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33adSBYSGF2MtBXCJKp-OLhwAAAE4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2026/03/26/greg_kroahhartman_ai_kernel/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44adSBYSGF2MtBXCJKp-OLhwAAAE4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://hackerone.com/curl/hacktivity?type=team
[9] https://hackerone.com/reports/3645361
[10] https://github.com/curl/curl/pull/21209
[11] https://www.theregister.com/2026/04/05/ai_agents_liability/
[12] https://www.theregister.com/2026/04/06/patch_to_end_i486_support/
[13] https://www.theregister.com/2026/04/06/anthropic_closes_door_on_subscription/
[14] https://www.theregister.com/2026/04/04/all_things_ai_conference/
[15] https://www.theregister.com/2024/12/10/ai_slop_bug_reports/
[16] https://www.theregister.com/2026/01/21/curl_ends_bug_bounty/
[17] https://hackerone.com/ibb?type=team
[18] https://nodejs.org/en/blog/announcements/discontinuing-security-bug-bounties
[19] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33adSBYSGF2MtBXCJKp-OLhwAAAE4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[20] https://www.linkedin.com/feed/update/urn:li:activity:7446667043996725249/?commentUrn=urn%3Ali%3Acomment%3A%28activity%3A7446667043996725249%2C7446779569199538176%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287446779569199538176%2Curn%3Ali%3Aactivity%3A7446667043996725249%29
[21] https://whitepapers.theregister.com/
For the curl project, that has meant less AI slop and more demand upon maintainers who have to evaluate more plausible vulnerability reports.
"Over the last few months, we have stopped getting AI slop security reports in the [1]curl project," said Daniel Stenberg, founder and lead developer of curl, in a social media [2]post . "They're gone. Instead, we get an ever-increasing amount of really good security reports, almost all done with the help of AI."
[3]
The reports, said Stenberg, are being submitted faster than ever before and are imposing a growing workload on maintainers.
[4]
[5]
According to Stenberg, the situation is similar for other open source maintainers.
Linux kernel maintainer Greg Kroah-Hartman recently [6]noted how AI-assisted bug reports contained less slop and more valid concerns. He said that the Linux team has been trying to deal with the increased volume, but implied that smaller teams might be struggling.
[7]
Even if the reports are better, the issues being identified aren't necessarily security flaws that can be exploited and need to be corrected. As evidence, Stenberg points to curl's [8]public list of closed reports . Most of the reports have been closed because the issue isn't a serious threat, even if it might be something worth correcting.
For example, a data race in a curl library was [9]initially discussed as an issue that might get a CVE. But it was eventually fixed in [10]a pull request , with the bug deemed to be simply "informative."
[11]If an AI agent screws up while running your business, there's nobody to sue
[12]Patch to end i486 support hits Linux kernel merge queue
[13]Anthropic closes door on subscription use of OpenClaw
[14]AI will make anyone a 10x programmer, but with 10x the cleanup
Stenberg, back in 2024, called out [15]the problem of AI slop bug reports and, earlier this year, went so far as to [16]stop paying awards for curl vulnerability reports. His goal was to remove the incentive to submit erroneous or unsubstantiated reports, whether those came from automated systems designed to maximize financial gain while minimizing effort or from people using AI tools who shirked their obligation to check the AI's work.
Other organizations have taken similar steps, most recently the Internet Bug Bounty program, which said it would stop issuing monetary awards for vulnerabilities at the end of March.
"The discovery landscape is changing," the program maintainers said in an [17]announcement that also shuttered the Node.js [18]vulnerability award program . "AI-assisted research is expanding vulnerability discovery across the ecosystem, increasing both coverage and speed. The balance between findings and remediation capacity in open source has substantively shifted. We have a responsibility to the community to ensure this program effectively accomplishes its ambitious dual purpose: discovery and remediation. Accordingly, we are pausing submissions while we consider the structure and incentives needed to further these goals."
[19]
Linux maintainer Willy Tarreau [20]responded to Stenberg's post by noting that the Linux kernel team has had a similar experience to those working on curl. He argues that more needs to be asked of those making bug reports.
"It's time to update the reporting rules to reduce the overhead by making the LLM+reporter do a larger share of the work to reduce the time spent triaging," he said.
Capable AI tooling doesn't increase the capabilities of the humans in the loop. Much of the notional productivity gain from AI may just be AI tool users moving the cost of code review off the books. ®
Get our [21]Tech Resources
[1] https://www.linkedin.com/search/results/all/?keywords=%23curl&origin=HASH_TAG_FROM_FEED
[2] https://www.linkedin.com/posts/danielstenberg_hackerone-activity-7446667043996725249-ZhEU
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2adSBYSGF2MtBXCJKp-OLhwAAAE4&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44adSBYSGF2MtBXCJKp-OLhwAAAE4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33adSBYSGF2MtBXCJKp-OLhwAAAE4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2026/03/26/greg_kroahhartman_ai_kernel/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44adSBYSGF2MtBXCJKp-OLhwAAAE4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://hackerone.com/curl/hacktivity?type=team
[9] https://hackerone.com/reports/3645361
[10] https://github.com/curl/curl/pull/21209
[11] https://www.theregister.com/2026/04/05/ai_agents_liability/
[12] https://www.theregister.com/2026/04/06/patch_to_end_i486_support/
[13] https://www.theregister.com/2026/04/06/anthropic_closes_door_on_subscription/
[14] https://www.theregister.com/2026/04/04/all_things_ai_conference/
[15] https://www.theregister.com/2024/12/10/ai_slop_bug_reports/
[16] https://www.theregister.com/2026/01/21/curl_ends_bug_bounty/
[17] https://hackerone.com/ibb?type=team
[18] https://nodejs.org/en/blog/announcements/discontinuing-security-bug-bounties
[19] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33adSBYSGF2MtBXCJKp-OLhwAAAE4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[20] https://www.linkedin.com/feed/update/urn:li:activity:7446667043996725249/?commentUrn=urn%3Ali%3Acomment%3A%28activity%3A7446667043996725249%2C7446779569199538176%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287446779569199538176%2Curn%3Ali%3Aactivity%3A7446667043996725249%29
[21] https://whitepapers.theregister.com/
Everything old is new again
If you substitute "AI generated bug report" with "Automated fuzzing tools", is like reading an article from circa 2002
The workload of software maintainers increased significantly, because researchers used automated tools to find significantly more bugs...
the survived the onlaught then, and the maintainers of today will survive the onslaught too...