Open Source Maintainers Are Drowning in Junk Bug Reports Written By AI

An anonymous reader shares a report: Software vulnerability submissions generated by AI models have ushered in a 'new era of slop security reports for open source' -- and the devs maintaining these projects wish bug hunters would rely less on results produced by machine learning assistants. Seth Larson, security developer-in-residence at the Python Software Foundation, raised the issue in a blog post last week, urging those reporting bugs not to use AI systems for bug hunting.

'Recently I've noticed an uptick in extremely low-quality, spammy, and LLM-hallucinated security reports to open source projects,' he wrote, pointing to similar findings from the Curl project in January. 'These reports appear at first glance to be potentially legitimate and thus require time to refute.' Larson argued that low-quality reports should be treated as if they're malicious.

As if to underscore the persistence of these concerns, a Curl project bug report posted on December 8 shows that nearly a year after maintainer Daniel Stenberg raised the issue, he's still confronted by 'AI slop' -- and wasting his time arguing with a bug submitter who may be partially or entirely automated.

Read more of this story at Slashdot.