> Open source code library cURL is removing the possibility to earn money by reporting bugs, hoping that this will reduce the volume of AI slop reports.
> cURL has been flooded with AI-generated error reports. Now one of the incentives to create them will go away.
I've been helping a bit with OWASP documentation lately and there's been a surge of Indian students eagerly opening nonsensical issues and PRs and all of the communication and code is clearly 100% LLMs. They'll even talk back and forth with each other. It's a huge headache for the maintainers.
I suggested following what Ghostty does where everything starts as discussions - only maintainers create issues, and PRs can only come from issues. It seems like this would deter these sorts of lazy efforts.
I was reading some GitHub comments earlier and the AI tone and structure in the comments posted by some users made me feel really uneasy for some reason.
I know a Brazilian who puts lots of emails through ChatGPT because they aren't confident in their English, but this seemed to be AI generating the majority of the content of the message too.
Little bit offtopic; is anyone getting more reports of site vulnerabilities I wonder? There are how many AI tools claiming to find those automatically and we get a lot of reports, some even have the tool name on. Thing is, most, well, all so far in the past months, are not true. They seem hallucinations or false positives. We have closed source SaaS products, so these are external scans making these reports.
Creating crap vuln reports or PRs on popular OSS projects has been an issue long before LLMs. Remember Hacktoberfest?
Students would often abuse it since there’s no adult in the room to teach them how to behave. I guess this is one hard way to f around and find out. But this is by no means condoning this sort of behavior.
Point is, LLMs made the situation more dire: it’s cheap to generate code, whereas reviewing still scales sublinearly. The only way to prevent this is by being rude to people who are rude to you.
Problem is that the LLM operators don't care if you're rude. They copy and paste your response to the LLM and probably don't read it themselves. If they do read it they don't suffer any ego hit from it because if there was any error it was the LLM's not theirs and their LLM is busy telling them how brilliant and unparalleled they are and how wrong the haters are in any case.
CURL is free to try it, but I'm doubtful being rude will meaningfully improve things. I'm confident it won't improve the ratio of good to bad reports because non-chatbot powered submitters are sensitive to rudeness or even the threat of potential rudeness, and so this approach could easily reduce total volume some but mostly in the reduction of good submissions.
I am friends with a solo maintainer of a major open source project.
He repeatedly complains that at the beginning of some semester, he sees a huge spike of false/unproveable security weakness reports / GutHub issues in the project. He thinks that there is a Chinese university which encourages their students to find and report software vulns as part of their coursework. They don’t seem to verify what they describe is an actual security vuln or that the issue exists in his GitHub repo. He is very diligent and patient and tries to verify the issue is not reproducible, but this costs him valuable time and very scarce attention.
He also struggles because the upstream branch has diverged from what the major Linux distribution systems have forked/pulled. Sometimes the security vulns are the Linux distro package default configurations of his app, not the upstream default configurations.
And also, I’m part of the Kryptos K4 SubReddit. In the past ~6 months, the majority of posts saying “I SOLVED IT!!!1!” Are LLM copypasta (using LLM to try to solve it soup-to-nuts, not to do research, ideate, etc). It got so bad that the SubReddit will ban users on first LLM slop post.
I worry that the fears teachers had of students using AI to submit homework has bled over into all aspects of work.
I'm not sure it helped in the end, afaik they did it since like 2003 until some years after the raid, but it still seemed like they didn't get the message and kept trying anyways, which from their perspective makes sense but still.
> We will ban you and ridicule you in public if you waste our time on crap
If shame worked, then slop reports would've stopped being made already. Public ridicule only creates a toxic environment where good faith actors are caught up in unnecessary drama because a maintainer felt their time was being wasted. Ban them, close your bug bounty program, whatever, but don't start attacking people when you feel slighted because that never ends well for anyone (including curl maintainers)
One way this can backfire: if you have no reputation and are nobody, and get banned and publically ridiculed, this is now a badge of honor you can take to wealthy and deluded people convinced of the AI future, to say 'look, I have been shot at! I'm a true believer!'
"As contributors and maintainers of this project, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities"
Why have a code of conduct while being hostile to contributors?
I think this is probably less effective than if there was some sort of "credit" or reputational score for reporting that seems like something GitHub would have the information to implement.
84 comments
[ 2.8 ms ] story [ 75.1 ms ] thread> Open source code library cURL is removing the possibility to earn money by reporting bugs, hoping that this will reduce the volume of AI slop reports.
> cURL has been flooded with AI-generated error reports. Now one of the incentives to create them will go away.
[1] https://news.ycombinator.com/item?id=46701733
[2] https://etn.se/index.php/nyheter/72808-curl-removes-bug-boun...
[0] https://curl.se/dev/vuln-disclosure.html
[1] https://curl.se/docs/bugbounty.html
I suggested following what Ghostty does where everything starts as discussions - only maintainers create issues, and PRs can only come from issues. It seems like this would deter these sorts of lazy efforts.
Check the closed PR's on express https://github.com/expressjs/express
Yikes!
I was reading some GitHub comments earlier and the AI tone and structure in the comments posted by some users made me feel really uneasy for some reason.
I know a Brazilian who puts lots of emails through ChatGPT because they aren't confident in their English, but this seemed to be AI generating the majority of the content of the message too.
would be so awesome if github supported all that. probably kills their business model though
Fair play to them.
Students would often abuse it since there’s no adult in the room to teach them how to behave. I guess this is one hard way to f around and find out. But this is by no means condoning this sort of behavior.
Point is, LLMs made the situation more dire: it’s cheap to generate code, whereas reviewing still scales sublinearly. The only way to prevent this is by being rude to people who are rude to you.
CURL is free to try it, but I'm doubtful being rude will meaningfully improve things. I'm confident it won't improve the ratio of good to bad reports because non-chatbot powered submitters are sensitive to rudeness or even the threat of potential rudeness, and so this approach could easily reduce total volume some but mostly in the reduction of good submissions.
He repeatedly complains that at the beginning of some semester, he sees a huge spike of false/unproveable security weakness reports / GutHub issues in the project. He thinks that there is a Chinese university which encourages their students to find and report software vulns as part of their coursework. They don’t seem to verify what they describe is an actual security vuln or that the issue exists in his GitHub repo. He is very diligent and patient and tries to verify the issue is not reproducible, but this costs him valuable time and very scarce attention.
He also struggles because the upstream branch has diverged from what the major Linux distribution systems have forked/pulled. Sometimes the security vulns are the Linux distro package default configurations of his app, not the upstream default configurations.
And also, I’m part of the Kryptos K4 SubReddit. In the past ~6 months, the majority of posts saying “I SOLVED IT!!!1!” Are LLM copypasta (using LLM to try to solve it soup-to-nuts, not to do research, ideate, etc). It got so bad that the SubReddit will ban users on first LLM slop post.
I worry that the fears teachers had of students using AI to submit homework has bled over into all aspects of work.
I'm not sure it helped in the end, afaik they did it since like 2003 until some years after the raid, but it still seemed like they didn't get the message and kept trying anyways, which from their perspective makes sense but still.
If shame worked, then slop reports would've stopped being made already. Public ridicule only creates a toxic environment where good faith actors are caught up in unnecessary drama because a maintainer felt their time was being wasted. Ban them, close your bug bounty program, whatever, but don't start attacking people when you feel slighted because that never ends well for anyone (including curl maintainers)
And then maybe they will give you money.
(from https://daniel.haxx.se/blog/2025/07/14/death-by-a-thousand-s...)
"As contributors and maintainers of this project, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities"
Why have a code of conduct while being hostile to contributors?
I think they should handle this differently.