Curl Project Discontinues AI-Generated Vulnerability Report Reviews on HackerOne

Daniel Stenberg, the creator of curl, has announced that his open-source project will cease to evaluate vulnerability reports generated by AI systems via the HackerOne platform.

According to Stenberg, the volume of such AI-generated vulnerability reports overwhelms the project’s team. Verifying these AI reports takes significantly more time than it does to produce them using AI in the first place.

As reported by Linux.org.ru, Stenberg provided an example of one such report, numbered #3125832. The initial patch in this report was incompatible with any version of the curl utility for which it was intended. The patch author did not respond to clarifying questions from developers. Instead, when asked about topics such as cyclic dependencies, they provided examples of non-existent functions in curl and gave instructions on using git to apply the patch.

In response to the surge of similar AI-generated reports, Stenberg has warned that authors will now be required to answer the question of whether AI was used in the creation of the report and be prepared for additional inquiries to demonstrate that they thoroughly vetted the results. Moreover, any authors suspected of submitting reports that can be deemed «AI slop» (low-quality content generated by AI) will be banned instantly.

Stenberg emphasized that, as of now, they have not encountered a single instance of a useful vulnerability report generated by AI systems.

On April 2, 2025, the release of curl version 8.13 took place. The project’s code is available on GitHub under the curling open-source license (a variant of the MIT license). The 8.0 version of curl was released in March of the previous year.