Submission + - AI slop? Not this time. Generative AI found 50 real bugs in cURL — and cou (etn.se)
jantangring writes: AI-generated bug reports are usually trash. But when a security researcher used LLM-based scanners the right way, he found 50 real bugs in libcURL. Swedish tech journal talks to cURL maintainer Daniel Stenberg and to Joshua Rogers, the Australian hacker / security researcher that is using AI tools to uncover loads of old bugs in open source projects.
Generative AI has now proven that it can independently discover new vulnerabilities in high-quality source code. New generative AI tools are suddenly digging up bugs that traditional static analysis tools have been overlooking for years.
”I’m actually overwhelmed by the quality of some of these findings”, says Daniel Stenberg, maintainer of the file-transfer library cURL, in an interview with Swedish industrial electronics news publisher Elektroniktidningen (etn.se).
In a well-known talk this August, Daniel Stenberg warned that he and his team were being flooded with AI-generated bug reports — wrong, confused, hallucinatory garbage created by generative AI.
Such “AI slop” has begun to waste valuable time for open-source maintainers, not only in cURL. The community is struggling with how to stem the tide.
Still, banning AI wasn’t the solution, Stenberg argued back then. He believed that AI might yet prove useful.
And he turned out to be right. In September, a batch of cURL bug reports arrived that has so far led to 50 fixes in the cURL library source code.
It marks a clean break from the previous wave of junk reports. There may have been the odd valid AI-based bug report before, but this time, Stenberg’s team implemented fifty fixes, all stemming from AI-generated reports. Once again the team is knee-deep in AI bug reports — but this time, they’re not slop. These are bugs that cURL’s regular analysis tools have been completely been overlooking.
“This is new,” says Daniel Stenberg. “It really looks like these new tools are finding problems that none of the old, established tools detect.”
“We regularly run clang-tidy, scan-build, CodeSonar and Coverity on the code, and whenever they find something, we fix it. So when all those tools report zero issues and someone suddenly finds hundreds, that’s pretty spectacular,” he adds — with some understatement.
All the bug reports came from one single developer: Joshua Rogers, an Australian with 15 years in cybersecurity, including at Opera Software in Poland. Today he works in security for a cryptocurrency company.
Over the past few months, he has been evaluating new AI-based tools and has started submitting bug reports to several open-source projects — including cURL, sudo, libwebm, Next.js, avahi, wpa_supplicant and squid.
None of the 50 bugs found in cURL were critical, but Rogers has discovered critical vulnerabilities elsewhere, including in source code from his former employer Opera Software. That bug was patched in early September.
Initially, Rogers hesitated to report bugs to cURL — familiar with Stenberg’s public stance on “AI slop”.
“Even though I could literally see the bugs in the code, I thought there was a 0.001% chance I was wrong — and I’d end up in the hall of shame,” Rogers says with a smile.
But he eventually gathered his courage and started sending reports.
After a while, Stenberg reached out curiously and asked where the reports were coming from.
”After I explained it to him, he asked me to send him the un-reviewed list of problems, and he'd triage them himself.”
“Triage” is a medical term — sorting patients by urgency. In software, it means prioritizing bug reports by severity.
Rogers says he’s received similarly astonished reactions from other open-source maintainers.
On his blog, he has shared insights into how he performs vulnerability analysis using LLM based SAST tools (Static Application Security Testing). His main message: these tools exist, and they’ve become incredibly good.
Generative AI has now proven that it can independently discover new vulnerabilities in high-quality source code. New generative AI tools are suddenly digging up bugs that traditional static analysis tools have been overlooking for years.
”I’m actually overwhelmed by the quality of some of these findings”, says Daniel Stenberg, maintainer of the file-transfer library cURL, in an interview with Swedish industrial electronics news publisher Elektroniktidningen (etn.se).
In a well-known talk this August, Daniel Stenberg warned that he and his team were being flooded with AI-generated bug reports — wrong, confused, hallucinatory garbage created by generative AI.
Such “AI slop” has begun to waste valuable time for open-source maintainers, not only in cURL. The community is struggling with how to stem the tide.
Still, banning AI wasn’t the solution, Stenberg argued back then. He believed that AI might yet prove useful.
And he turned out to be right. In September, a batch of cURL bug reports arrived that has so far led to 50 fixes in the cURL library source code.
It marks a clean break from the previous wave of junk reports. There may have been the odd valid AI-based bug report before, but this time, Stenberg’s team implemented fifty fixes, all stemming from AI-generated reports. Once again the team is knee-deep in AI bug reports — but this time, they’re not slop. These are bugs that cURL’s regular analysis tools have been completely been overlooking.
“This is new,” says Daniel Stenberg. “It really looks like these new tools are finding problems that none of the old, established tools detect.”
“We regularly run clang-tidy, scan-build, CodeSonar and Coverity on the code, and whenever they find something, we fix it. So when all those tools report zero issues and someone suddenly finds hundreds, that’s pretty spectacular,” he adds — with some understatement.
All the bug reports came from one single developer: Joshua Rogers, an Australian with 15 years in cybersecurity, including at Opera Software in Poland. Today he works in security for a cryptocurrency company.
Over the past few months, he has been evaluating new AI-based tools and has started submitting bug reports to several open-source projects — including cURL, sudo, libwebm, Next.js, avahi, wpa_supplicant and squid.
None of the 50 bugs found in cURL were critical, but Rogers has discovered critical vulnerabilities elsewhere, including in source code from his former employer Opera Software. That bug was patched in early September.
Initially, Rogers hesitated to report bugs to cURL — familiar with Stenberg’s public stance on “AI slop”.
“Even though I could literally see the bugs in the code, I thought there was a 0.001% chance I was wrong — and I’d end up in the hall of shame,” Rogers says with a smile.
But he eventually gathered his courage and started sending reports.
After a while, Stenberg reached out curiously and asked where the reports were coming from.
”After I explained it to him, he asked me to send him the un-reviewed list of problems, and he'd triage them himself.”
“Triage” is a medical term — sorting patients by urgency. In software, it means prioritizing bug reports by severity.
Rogers says he’s received similarly astonished reactions from other open-source maintainers.
On his blog, he has shared insights into how he performs vulnerability analysis using LLM based SAST tools (Static Application Security Testing). His main message: these tools exist, and they’ve become incredibly good.
