https://www.linkedin.com/posts/danielstenberg_hackerone-curl-activity-7324820893862363136-glb1 Agree & Join LinkedIn By clicking Continue to join or sign in, you agree to LinkedIn's User Agreement, Privacy Policy, and Cookie Policy. Skip to main content LinkedIn * Articles * People * Learning * Jobs * Games Join now Sign in Daniel Stenberg's Post Daniel Stenberg curl CEO. Code Emitting Organism 2d Edited * Report this post That's it. I've had it. I'm putting my foot down on this craziness. 1. Every reporter submitting security reports on #Hackerone for #curl now needs to answer this question: "Did you use an AI to find the problem or generate this submission?" (and if they do select it, they can expect a stream of proof of actual intelligence follow-up questions) 2. We now ban every reporter INSTANTLY who submits reports we deem AI slop. A threshold has been reached. We are effectively being DDoSed. If we could, we would charge them for this waste of our time. We still have not seen a single valid security report done with AI help. 3,979 189 Comments Like Comment Share * Copy * LinkedIn * Facebook * Twitter Daniel Stenberg curl CEO. Code Emitting Organism 2d * Report this comment This is the latest one that really pushed me over the limit: https:// hackerone.com/reports/3125832 Like Reply 154 Reactions 155 Reactions Tobias Heldt 7h * Report this comment Totally hear you, Daniel Stenberg. You're probably paying the highest price for AI slop, it hits maintainers like you the hardest. We've been digging into this problem with Madison Oliver under the lens of Open Source Security Economics within the OpenSSF. One idea we explored: what if researchers had to stake a small deposit on their submission - only paid out as part of their bounty if the report clears a basic signal threshold (the deposit is lost if the report is not even rated "Info" and rejected)? It adds friction, but also researchers need to signal & stake their own confidence, which should filter DOS like noise. Curious to hear your take, how you would see bug bounties being modernised for the age of AI? Like Reply 5 Reactions 6 Reactions Gary Longsine Collaborate * Deliver * Iterate. 2d * Report this comment How many of these are you seeing a month? And what was the reporting rate a couple years ago? Are these kids playing around, or is it a weaponized DDoS against security defect reporting and response, industry wide? Like Reply 3 Reactions 4 Reactions Travis Higley Software Developer 7h * Report this comment This is 100% the future of tech. Tons of resources wasted on dealing with AI slop. It is totally not sustainable. And will blow up on us all. Like Reply 4 Reactions 5 Reactions Prof. Dr. Michael Stal Principal Key Expert Engineer at Siemens Corporate Technology 1d * Report this comment The problem is obvious. I am an AI researcher and know the limitations of AI, but obviously some don't. The point is: check and test manually and write a report yourself. BTW: the code was also created, tested and checked manually. Some may argue, AI could beautify or improve a report. But again, don't do this! An AI might halluzinate. Give respect to the developers who spend their time developing for a whole community. Like Reply 1 Reaction 2 Reactions Christopher Stith Manager, Site Reliability Engineering 1d * Report this comment I fear the only way to realistically address this other than the types of steps you've outlined is to put it into terms of service that access is not allowed to AI or people submitting AI-generated content, and then actually have them prosecuted under laws like the CFAA 1986. Like Reply 1 Reaction 2 Reactions Jason Ferguson Sr Director of Product Security Operations @ Connectwise 2d * Report this comment It has to be incredibly frustrating to deal with a flood of nonesense reports generated by AI. Beyond the obvious waste of time and resources spent investigating these false alarms, there's a potential significant emotional toll on security teams also. Imagine constantly being bombarded with "critical" and "high" severity alerts that turn out to be noise (looks at VTM sideye). This is different than the typical nonesense beg bounty reports and legacy automated findings. And this constant invalidation, especially when it impacts crucial services, must be incredibly demoralizing and potentially lead to a case of mental fatigue. Props for calling it out and disclosing the report. Like Reply 4 Reactions 5 Reactions Bjorn Lundell 2d * Report this comment Daniel Stenberg Jag lider med dig! Du gor ett enormt vardefullt jobb och den utveckling du beskriver (som orsakar betydande extrajobb) ar djupt beklaglig. Like Reply 3 Reactions 4 Reactions Mert Y. backend dev | system admin 1d * Report this comment I have been hearing about this issue here and there, I thought it would have been resolved by people stop submitting reports they at the very least don't test, just out of common courtesy. Like Reply 1 Reaction See more comments To view or add a comment, sign in [1559735330] 11,587 followers * 643 Posts View Profile Follow Explore topics * Sales * Marketing * IT Services * Business Administration * HR Management * Engineering * Soft Skills * See All * LinkedIn (c) 2025 * About * Accessibility * User Agreement * Privacy Policy * Your California Privacy Choices * Cookie Policy * Copyright Policy * Brand Policy * Guest Controls * Community Guidelines * + l`rby@ (Arabic) + baaNlaa (Bangla) + Cestina (Czech) + Dansk (Danish) + Deutsch (German) + Ellenika (Greek) + English (English) + Espanol (Spanish) + frsy (Persian) + Suomi (Finnish) + Francais (French) + hiNdii (Hindi) + Magyar (Hungarian) + Bahasa Indonesia (Indonesian) + Italiano (Italian) + `bryt (Hebrew) + Ri Ben Yu (Japanese) + hangugeo (Korean) + mraatthii (Marathi) + Bahasa Malaysia (Malay) + Nederlands (Dutch) + Norsk (Norwegian) + pNjaabii (Punjabi) + Polski (Polish) + Portugues (Portuguese) + Romana (Romanian) + Russkii (Russian) + Svenska (Swedish) + telugu (Telugu) + phaasaaaithy (Thai) + Tagalog (Tagalog) + Turkce (Turkish) + Ukrayins'ka (Ukrainian) + Tieng Viet (Vietnamese) + Jian Ti Zhong Wen (Chinese (Simplified)) + Zheng Ti Zhong Wen (Chinese (Traditional)) Language Sign in to view more content Create your free account or sign in to continue your search Sign in Welcome back Email or phone [ ] Password [ ] Show Forgot password? Sign in or By clicking Continue to join or sign in, you agree to LinkedIn's User Agreement, Privacy Policy, and Cookie Policy. New to LinkedIn? Join now or New to LinkedIn? Join now By clicking Continue to join or sign in, you agree to LinkedIn's User Agreement, Privacy Policy, and Cookie Policy.