AI Slop? Not This Time. AI Tools Found 50 Real Bugs In cURL (theregister.com)
(Sunday October 12, 2025 @11:34AM (EditorDavid)
from the merging-ahead dept.)
- Reference: 0179760098
- News link: https://developers.slashdot.org/story/25/10/12/0619247/ai-slop-not-this-time-ai-tools-found-50-real-bugs-in-curl
- Source link: https://www.theregister.com/2025/10/02/curl_project_swamped_with_ai/
[1]The Register reports :
> Over the past two years, the open source curl project has been flooded with bogus bug reports generated by AI models. The deluge prompted project maintainer Daniel Stenberg to publish several blog posts [2]about [3]the [4]issue in an effort to convince bug bounty hunters to show some restraint and not waste contributors' time with invalid issues. Shoddy AI-generated bug reports have been a problem not just for curl, but also for [5]the Python community , [6]Open Collective , and [7]the Mesa Project .
>
> It turns out the problem is people rather than technology. Last month, the curl project received dozens of potential issues from Joshua Rogers, a security researcher based in Poland. Rogers identified assorted bugs and vulnerabilities with the help of various AI scanning tools. And his reports were not only valid but appreciated. Stenberg in [8]a Mastodon post last month remarked, "Actually truly awesome findings." In his mailing list [9]update last week, Stenberg said, "most of them were tiny mistakes and nits in ordinary static code analyzer style, but they were still mistakes that we are better off having addressed. Several of the found issues were quite impressive findings...."
>
> Stenberg told The Register that about 50 bugfixes based on Rogers' reports have been merged. "In my view, this list of issues achieved with the help of AI tooling shows that AI can be used for good," he said in an email. "Powerful tools in the hand of a clever human is certainly a good combination. It always was...!" Rogers [10]wrote up a summary of the AI vulnerability scanning tools he tested. He concluded that these tools — Almanax, Corgea, ZeroPath, Gecko, and Amplify — are capable of finding real vulnerabilities in complex code.
The Register's conclusion? AI tools "when applied with human intelligence by someone with meaningful domain experience, can be quite helpful."
[11]jantangring (Slashdot reader #79,804) has [12]published an article on Stenberg's new position , including recently published comments from Stenberg that "It really looks like these new tools are finding problems that none of the old, established tools detect."
[1] https://www.theregister.com/2025/10/02/curl_project_swamped_with_ai/
[2] https://www.theregister.com/2025/07/15/curl_creator_mulls_nixing_bug/
[3] https://www.theregister.com/2025/05/07/curl_ai_bug_reports/
[4] https://www.theregister.com/2024/01/04/aiassisted_bug_reports_make_developers
[5] https://sethmlarson.dev/slop-security-reports
[6] https://framapiaf.org/@Betree/114456180452192212
[7] https://social.treehouse.systems/@gfxstrand/115220843956925235
[8] https://mastodon.social/@bagder/115241241075258997
[9] https://lists.haxx.se/pipermail/daniel/2025-September/000127.html
[10] https://joshua.hu/llm-engineer-review-sast-security-ai-tools-pentesters
[11] https://www.slashdot.org/~jantangring
[12] https://etn.se/index.php/72494
> Over the past two years, the open source curl project has been flooded with bogus bug reports generated by AI models. The deluge prompted project maintainer Daniel Stenberg to publish several blog posts [2]about [3]the [4]issue in an effort to convince bug bounty hunters to show some restraint and not waste contributors' time with invalid issues. Shoddy AI-generated bug reports have been a problem not just for curl, but also for [5]the Python community , [6]Open Collective , and [7]the Mesa Project .
>
> It turns out the problem is people rather than technology. Last month, the curl project received dozens of potential issues from Joshua Rogers, a security researcher based in Poland. Rogers identified assorted bugs and vulnerabilities with the help of various AI scanning tools. And his reports were not only valid but appreciated. Stenberg in [8]a Mastodon post last month remarked, "Actually truly awesome findings." In his mailing list [9]update last week, Stenberg said, "most of them were tiny mistakes and nits in ordinary static code analyzer style, but they were still mistakes that we are better off having addressed. Several of the found issues were quite impressive findings...."
>
> Stenberg told The Register that about 50 bugfixes based on Rogers' reports have been merged. "In my view, this list of issues achieved with the help of AI tooling shows that AI can be used for good," he said in an email. "Powerful tools in the hand of a clever human is certainly a good combination. It always was...!" Rogers [10]wrote up a summary of the AI vulnerability scanning tools he tested. He concluded that these tools — Almanax, Corgea, ZeroPath, Gecko, and Amplify — are capable of finding real vulnerabilities in complex code.
The Register's conclusion? AI tools "when applied with human intelligence by someone with meaningful domain experience, can be quite helpful."
[11]jantangring (Slashdot reader #79,804) has [12]published an article on Stenberg's new position , including recently published comments from Stenberg that "It really looks like these new tools are finding problems that none of the old, established tools detect."
[1] https://www.theregister.com/2025/10/02/curl_project_swamped_with_ai/
[2] https://www.theregister.com/2025/07/15/curl_creator_mulls_nixing_bug/
[3] https://www.theregister.com/2025/05/07/curl_ai_bug_reports/
[4] https://www.theregister.com/2024/01/04/aiassisted_bug_reports_make_developers
[5] https://sethmlarson.dev/slop-security-reports
[6] https://framapiaf.org/@Betree/114456180452192212
[7] https://social.treehouse.systems/@gfxstrand/115220843956925235
[8] https://mastodon.social/@bagder/115241241075258997
[9] https://lists.haxx.se/pipermail/daniel/2025-September/000127.html
[10] https://joshua.hu/llm-engineer-review-sast-security-ai-tools-pentesters
[11] https://www.slashdot.org/~jantangring
[12] https://etn.se/index.php/72494
AI tools found shit (Score:2)
by Mr. Dollar Ton ( 5495648 )
I'll quote TFS just in case:
> Rogers identified assorted bugs and vulnerabilities
Re: AI tools found shit (Score:2)
by LindleyF ( 9395567 )
Don't expect AI to be autonomous. It's not there yet. But that doesn't mean the human/AI pair programmer isn't better than the human alone.
Conclusion (Score:2)
by kmoser ( 1469707 )
> The Register's conclusion? AI tools "when applied with human intelligence by someone with meaningful domain experience, can be quite helpful."
Experts using tools can actually get work done? That's some fine reporting there, Lou.
Fake "success" is fake (Score:2)
The real question is how many wrong reports those 50 had to be filtered from. If it is a larger number, then this is still a fail and unusable.
Re: (Score:2)
Huh? It's clearly usable since they obtained this list of 50 valid bugs. How is that a fail. Without the AI it may have taken a decade to find these bugs by which time North Korea may have found one or two that we'd have missed.