daniel stenberg: The AI slop security reporting is basically extinct [in curl]... [bugs] are found with AI tools and normally high quality bug reports. (mastodon.social)

submitted 3 days ago by nobody_1677@lemmy.world to c/linux@lemmy.ml

11 comments fedilink hide all child comments

top 11 comments

sorted by: hot top controversial new old

[-] JoMiran@lemmy.ml 13 points 3 days ago

Infosec professional for almost 30 years here. I can confirm that the latest iterations of AI models are finding high quality bugs and vulnerabilities in the code we work with. If Daniel has access to Mythos, I suspect his experience would be even more shocking.

The problem I have is that the AI tools can find bugs faster than they can be patched, which is eventually going to prompt companies to use AI to patch bugs found by AI. Before long, no living being will be able to make heads or tails out of the code we run. Just my 2¢.

[-] utopiah@lemmy.ml 3 points 2 days ago

AI tools can find bugs faster than they can be patched

Not a security expert but wasn't that the case already? It feels like before AI there were already a lot more bugs, security related or not, on backlogs. That's precisely why there are metrics like severity.

[-] cecilkorik@piefed.ca 7 points 3 days ago

no living being will be able to make heads or tails out of the code we run.

Which is fine, because somebody will just vibe code a replacement when it gets too unwieldy and then we'll start the cycle of unmaintainability all over again. Welcome to the era of disposable, limited-use software.

While you're all working on dealing with that, don't mind me, I'm just going to be over here admiring all this artisanal, hand-crafted software running in a carefully arranged and manually curated legacy virtual machine with loving attention to detail and thoughtful Feng Shui, where it will be safe and protected from the horrors of the open internet until someday NetWatch finally fires up the blackwall to protect us.

[-] Eggymatrix@sh.itjust.works 7 points 3 days ago

I think that there is now a phase were the bugs that are findable by AI will be reported en masse, and there will be a period of patching them and working through the queue. After this we will end up with better software overall, which is what Linus predicted a couple months ago.

That said there still needs to be a penality for crap reports, because those are still received, making us loose time on what is functionally just spam.

[-] thingsiplay@lemmy.ml 6 points 3 days ago

Does that mean the bug bounty program will come back?

[-] kibiz0r@midwest.social 6 points 3 days ago

Perpetual loop of “bounty encourages bad reports”, “canceled bounty”, “bug reports improve”, “bounty comes back”, “bounty encourages bad reports”…

[-] thingsiplay@lemmy.ml 8 points 3 days ago

bounty also encourages good reports. So your argumentation is that the bounty program is the reason why reports were bad lately? I don't think that is the reason and bringing it back will not make it that worse again.

[-] Goodlucksil@lemmy.dbzer0.com 5 points 3 days ago

Bounties bring many more reports, and many more of them are bad than they are good

[-] thingsiplay@lemmy.ml 6 points 3 days ago

It wasn't like that before Ai. And since rise of Ai, the quality went down and not only for bounties. So this is not a problem with bounties. Now that the quality of reports went up and is not much of an issue anymore, we can assume it will not an issue anymore with bounties coming back.

In short, bounties are not the cause of the low quality reports.

[-] SpaceNoodle@lemmy.world 3 points 3 days ago

You're picking nits. The bounties still trigger them.

[-] fhein@lemmy.world 1 points 3 days ago

If they are getting valid findings with high quality reports from AI tools already, why would they do that?

this post was submitted on 15 Apr 2026

43 points (100.0% liked)

Linux

64667 readers

116 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 6 years ago

MODERATORS

AgreeableLandscape@lemmy.ml

nooter692@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz