You must log in or register to comment.
We now ban every reporter Instantly who submits reports we deem AI slop. A threshold has been reached. We are effectively being DDoSed. If we could, we would charge them for this waste of our time.
We still have not seen a single valid security report done with AI help.
~ Daniel Stenberg
Source [2025]-–
For those of you who don’t want to click into linked in, https://hackerone.com/reports/3125832 is the latest example of a invalid curl report
Source: https://news.ycombinator.com/item?id=43907751 [2025-05-06]
It’s worth noting that curl has since seen at least one good AI-assisted report, but in that case the submitter had already done the work of sorting the output and only passing valid issues along.
That was 2025. This year he has stated that there get many AI reports per day and nearly all are real issues. Things have changed a lot in the past few months.
Though CURL didn’t restart their bug bounty program so there is no inventive to submit slop anymore.
That was 2025.
Man I’m really starting to empathize with my grandparents and struggling to keep up with tech. I used to think it was silly that they said stuff moved too fast when it had been 5 years. Now apparently your opinion on AI is only good for less than 12 months (probably less)
When things are new it is often quick for a bit. Then it slows down. My prediction (which has been wrong before!) is that AI has reached the peak of the change.
However you should ALWAYS be ready and willing to change your opinion on anything when new evidence comes in.
I’m open to new info, but so much of the AI push has mimicked the crypto and NFT hype that it’s been really hard to distinguish between reality and grift.
I tried to do my due diligence on research, but apparently doing so a ~ 13 months ago is already out of date. I’m honestly not interested or motivated enough to re-evaluate the state of AI every 6 months.
My current takeaway is that this is like the cloud computing hype. In that it’s got a real, valid use case, but that’s being overshadowed by it being shoe horned into literally everything and dumb sales people claiming it will do things that it will in fact never actually do.
What it can actually do won’t be able to be determined by most of us until after the dumb hype wave dies down and the valid business cases become boring everyday tasks and everyone forgets that at one point CEOs were literally believing that they’d have a movie level general AI assistant like Cortana.
AI might be useful to find some bugs that might otherwise have been missed, but you still need to do the manual work to make sure it’s actually valid and produce a proof of concept.
Unfortunately, most of these sloppers don’t have the skills to validate the work.
You know those bug reports where the user somehow didn’t see the huge bug report right on the front page with 100 comments, pinned to the top of the issues page, and they duplicated it? Where they didn’t provide a log or a stack trace, or even their system specs? The kind of report which caused the developers to implement a massive issue template that the user just ignored?
We automated that 😎
That template? — Filled with garbage.
That stack trace? — Contains methods that don’t actually exist.
It’s not debugging, it’s deblowmyfuckingbrainsout.
Hey, someone with experience.
What gave it away?
