AI slop got better, so now maintainers have more work

Plausible reports, heavier load

It has been reported that as generative models get better at writing and evaluating code, open-source projects are being flooded with far more plausible bug and vulnerability reports — and someone still has to check them. curl founder Daniel Stenberg allegedly said on social media that the era of obvious AI “slop” is over: the noise has been replaced by a rising tide of high‑quality reports, submitted faster than maintainers can triage. Linux kernel maintainer Greg Kroah‑Hartman has reportedly seen the same pattern. Smaller teams? They may be stumbling under the weight.

Triage, incentives and shifting costs

Not every well‑written report is a real, exploitable vulnerability. It has been reported that curl’s public list shows many AI‑helped reports closed as non‑critical or merely informative — a data race that prompted CVE talk ended up treated as “informative” after a fix. The emotional heart of this story is simple: someone excitedly waves a plausible problem in your face, and you have to do the dirty work of proving whether it matters. Frustrating? You bet.

It has been reported that maintainers are already changing incentives. Stenberg stopped paying awards for curl reports in 2024 to remove the reward for low‑effort submissions, and the Internet Bug Bounty program has paused payouts while it rethinks structure and incentives. Willy Tarreau of the Linux team has argued it’s time to force reporters (LLM‑assisted or not) to do more of the heavy lifting so maintainers don’t drown in triage. The upshot: capable AI doesn’t magically upskill the human in the loop — it may just offload the messy, expensive part onto volunteers. Who pays the piper now?

Sources: The Register