Full Report
"One way you can tell is it's always such a nice report," founder tells Ars.
Analysis Summary
# Main Topic
The curl project leadership, led by founder Daniel Stenberg, is aggressively banning users who submit vulnerability reports believed to be generated by Artificial Intelligence ("AI slop"), due to a significant perceived waste of developer time and resources on invalid submissions.
## Key Points
- The curl project lead stated they are "effectively being DDoSed" by these low-quality, suspected AI-generated reports.
- A specific turning point was a report suggesting a "novel exploit leveraging stream dependency cycles in the HTTP/3 protocol stack," which was ultimately deemed unhelpful, inaccurate, and based on non-existent functions in related libraries.
- The quality indicator mentioned is the excessively "nice report" formatting often associated with these submissions.
- The project intends to ask reporters to verify if AI was used in generating the report; if confirmed as "AI slop," the reporter will be banned.
- The project has not seen a single valid security report assisted by AI to date.
## Threat Actors
- **Threat Actor Type:** Submitter/Reporter (Not a malicious attacker, but a source of noise/resource drain).
- **Attribution:** Unattributed initial reporters, but the process targets submissions that resemble large language model (LLM) output.
- **Motivation:** Unknown, but the submitted reports are characterized as time-wasting, potentially driven by automated systems scanning for bug bounties or testing LLM capabilities.
## TTPs
- **TTPs:** Submitting vulnerability reports via established channels (e.g., HackerOne).
- **Technical Focus of Fake Reports:** Exploiting HTTP/3 stream dependency cycles, potentially leading to remote code execution (RCE).
- **Report Quality Indicators:** Submissions containing prompt-like answers, citing incorrect libraries or functions, and including basic instructions (e.g., how to use `git`) that do not address actionable fixes.
## Affected Systems
- **Targeted System:** `curl` command-line tool and library.
- **Protocols Mentioned:** HTTP/3 protocol stack handling of stream dependency cycles.
- **Dependencies Mentioned:** `aioquic` (Python tool related to the specific false report).
## Mitigations
- **Project Response (Internal/Process Mitigation):** Implementing a mandatory verification step for suspicious reports to identify and ban users submitting "AI slop."
- **Immediate Action:** Increased scrutiny on submissions lacking technical depth or exhibiting overly polished, generic language.
## Conclusion
The widespread use of generative AI is introducing significant noise into critical open-source security processes, forcing core projects like curl to implement strict, potentially adversarial filtering mechanisms to protect developer resources. The threat here is attrition and distraction rather than direct compromise. Projects should review incoming vulnerability reports for signs of AI-generation, especially if they appear overly verbose or technically misaligned with the codebase.