• Threshold Reached and DDoS Allegation: Daniel Stenberg, original author and lead of the curl project, wrote that a threshold has been crossed and they are effectively being DDoSed. He suggested charging for the waste of time if possible.
• About Curl: Curl is a 25-year-old essential command-line tool and library for interacting with Internet resources. It receives bug reports and security issues through multiple channels including HackerOne. HackerOne has been using AI tools recently.
• Stenberg's Stance: Stenberg is tired of the situation and has proposed that every suspected AI-generated HackerOne report will require the reporter to verify if AI was used. If a report is considered "AI slop", the reporter will be banned. He claims no valid security report has been done with AI help.
• A Specific Report: A May 4 report suggested a novel exploit in the HTTP/3 protocol stack using stream dependency cycles. But the submitted patch file did not apply to the latest version of a Python tool. The responder did not provide the new patch file and suggested incorrect tactics.
• Response and Interview: Stenberg is glad his post is getting attention. He has seen four misguided AI-generated vulnerability reports this week. He has talked to HackerOne before and wants them to take stronger action and provide better tools. In the comments, suggestions like using existing networks and infrastructure and filtering signals were made. Stenberg has previously blogged about AI-generated reports and others have added to his findings. Seth Larson noted that this is a concerning trend and may be happening on a large scale to open source projects.