Nearly three months ago, Daniel Stenberg, creator of the widely used curl utility, complained about the overwhelming flood of low-quality AI-generated vulnerability reports, calling them “AI slop.” However, the lead maintainer now says that AI-generated reports led to 50 bug fixes.
Curl is an open-source tool for computers to transfer data to and from the internet. It’s used by countless devices and applications, and nearly every internet user relies on curl without even realizing it.
Rapid AI adoption started to become a nuisance in early 2024, when “luck seekers” started submitting AI-generated bug bounty reports. In mid-2025, AI-generated “slop” seemed to be getting out of hand.
“In early July, about 5% of the submissions in 2025 had turned out to be genuine vulnerabilities,” Stenberg said at the time.
Stenberg’s blog post “Death by a thousand AI slops” sent a shockwave through the industry, highlighting the growing problem of low-quality AI-generated content wasting developers’ and many other people’s time.
The curl security team, consisting of seven members, spent hours on every report. Stenberg even considered changing the bug bounty program and dropping the monetary reward to remove the incentives.
But how the tables turn. In a recent interview with Swedish industrial electronics news publisher Elektroniktidningen (Electronics Magazine) at etn.se, Stenberg acknowledged that AI-generated bug reports recently led to 50 fixes in the curl library source code in September alone.
“This is new,” Stenberg told etn.se.
“It really looks like these new tools are finding problems that none of the old, established tools detect.”
All bug reports came from a single bug bounty hunter, Joshua Rogers.
“Joshua Rogers sent us a *massive* list of potential issues in #curl that he found using his set of AI-assisted tools. Code analyzer style nits all over. Mostly smaller bugs, but still bugs, and there could be one or two actual security flaws in there. Actually, truly awesome findings,” Stenberg posted on Mastodon on September 21st, 2025.
In the weekly newsletter, Stenberg also acknowledged that AI tools can clearly provide valuable help “when in the hands of the correct people.”
“His set of tools, when told to dig through the curl source code, generated a huge set of potential problems like any ordinary static code analyzer does,” Stenberg said in the message.
Rogers used ZeroPath, a code security suite, to detect curl bugs. In the blog post, the developer detailed that scanning open-source code nets hundreds of real vulnerabilities in critical software, including sudo, libwebm, next.js, and others.
“Yes, finally, AI found real bugs in curl! Indeed, not only did ZeroPath find a plethora of vulnerabilities, it was intimidatingly good at finding normal bugs, when given a custom rule to do so,” Rogers said.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked