AI slop got better, so now maintainers have more work

For years, the open-source sector has struggled with a flood of so-called AI slop — low-quality, mass-generated bug reports that were easy to identify and dismiss. However, the situation has changed drastically. Language models have become so advanced that the security analyses they generate sound professional and credible, which paradoxically is becoming the biggest nightmare for developers maintaining key infrastructure projects.

When artificial intelligence does the lion's share of the work in scanning code, the burden of verifying the results still rests on human shoulders. The problem is that with the increasing quality of submissions, their number is growing drastically, paralyzing the work of teams that must manually check every "probable" attack scenario.

Evolution from spam to credible reports

Daniel Stenberg, creator and leader of the curl project, noticed a significant shift in the nature of the reports received. In his recent post, he emphasized that the era of primitive AI spam has come to an end. Instead of obvious errors, the project is now receiving an increasing number of extremely polished security reports that are prepared almost entirely using AI tools. While this sounds like a technological success, for maintainers it means a drastic increase in workload.

This phenomenon is not unique to curl. Similar observations are coming from the Linux kernel camp. Greg Kroah-Hartman, one of the key Linux kernel developers, admitted that AI-supported reports now contain significantly less "garbage" and more real concerns regarding code architecture. While large teams, like those working on Linux, are trying to adapt to the new reality, smaller open-source projects are beginning to buckle under the weight of reports that are too good to ignore.

• Increase in credibility: Reports are technically consistent and use professional terminology.
• Faster distribution: Automation allows reports to be sent almost immediately after a potential vulnerability is detected.
• Scaling problem: The number of reports is growing faster than the capacity for human verification.

The trap of "probable" bugs

The main problem is that even if a report is technically correct, it does not automatically mean it describes a critical security vulnerability (CVE). Daniel Stenberg points to the public list of closed curl reports as evidence: most cases are closed because the identified problems do not pose a real threat that could be exploited in an attack. Often these are purely "informational" issues, such as a data race in a library, which although requiring a fix, was not a critical error.

As a result, maintainers waste hours analyzing scenarios that AI deemed risky but which have negligible significance in a real-world environment. This is a classic example of cost shifting — users of AI tools gain "productivity" by generating mass reports, while the cost of processing and verifying them is shifted onto developers working pro bono on open-source software.

The end of the bug bounty era

In the face of the new wave of reports, organizations are starting to withdraw the financial incentives that previously stimulated the community to search for vulnerabilities. Internet Bug Bounty announced a halt to cash prize payouts at the end of March 2026, affecting programs like Node.js. This decision stems from an imbalance between the pace of vulnerability discovery and the ability of open-source projects to fix them.

"The bug discovery landscape is changing. AI-assisted research is increasing the scope and speed of vulnerability detection across the ecosystem. Responsibility to the community requires us to reconsider the incentive structure," reads the Internet Bug Bounty statement.

Stenberg himself had already stopped paying rewards for reports in the curl project. The goal was to eliminate the financial motivation for people who use automated systems to mass-send unverified reports, hoping for easy profit with minimal personal effort.

New rules of the game in the LLM world

Developers like Willy Tarreau from the Linux kernel team suggest that it is time for a radical change in bug reporting rules. Since report authors have powerful LLM models at their disposal, they should be obligated to perform a larger portion of the analytical work before sending a report to the maintainer. The proposed changes aim to reduce the overhead associated with triage — the initial selection and classification of bugs.

The vision of a programmer as a "10x developer" thanks to AI has its dark side — it also means "10x more cleanup." If AI tools do not also begin to take responsibility for verification and proving the real security impact of a bug, the open-source model may face a capacity crisis. The productivity gained at the code-writing stage will be completely consumed by the endless process of reviewing mass-generated content.

Modern artificial intelligence does not increase human competence in the decision loop, but only accelerates processes that still require human approval. The industry must develop new content filtering standards where AI helps maintainers separate the wheat from the technical chaff, instead of just burying them under increasingly well-written but still redundant analyses.