Curl did already tend to get a decent number of junk reports from people who just didn't know what they were doing, but this was limited to the number of productive idiots who focused their productivity on curl specifically. AI allows significantly less motivated idiots to create substantially more workload, and therefore upgrades this phenomenon from a minor annoyance to a big problem, one that may just render publicly submitted bug reports not worth the project's time.

(And no, curl does not have a huge pool of potential maintainers to pull from on this. Open-source software in general suffers from a big lack of manpower, especially relative to the popularity of the tool)

My point was #1 that it is a volume problem, and #2, you don't need maintainers to triage bugs and prs, even bots can do that for simpler things. They can have a pool of project members to upvote a bug report before maintainers look at it.

There are many incentives not to sell exploits, the major one being that it's not logistically feasible. First of all the people submitting these false reports don't have any real exploits.

But imagine you were sitting on an actual RCE exploit in curl, who would you sell it to? How would you convince them it's working without disclosing the details for free? How would you get paid?

> Curl is a popular and well supported tool, if it needs help in this area, there will be a long line of competent people not volunteering their time and/or money

I'm not sure if that not is a typo, but yes, even though a tool is very popular, there's almost nobody competent and willing to work on it for free. This has been a well-known problem in open source for decades now.

It's a typo, even if they don't sell it why report it to curl? for clout? You can still exploit it against real world apps. Who would they sell it to? I would sell it to zerodium instead of report to curl personally.

How much time do people spend finding bugs, is their time not worth anything because some other random people decide to use AI?

Curl is high-visibility, there are people. and it doesn't take a lot of competency to triage. Heck, I like to think I have a good handle at C and memory exploitation, I will volunteer my time for free if they need help.

> This is silly, people don't need AI to send you garbage

People also don't need cigarettes to fall ill. But smoking still causes health problems.

What's your point? Because people smoke cigarettes, people who buy unrelated things should be punished? Or because a store sells cigarettes, stores in general shouldn't be paid for what they sell? Or is the time and effort to find vulns valueless?

The point is that "can happen without [THING] as well" does not mean the argument "[THING]s existence exacerbates the problem" is wrong.

No, the implication that "THING" is the cause of something and therefore something needs to be done must withstand the scrutiny of "other THINGS" also causing that thing, and therefore the solution is attacking either only one cause or not the real root cause.

The fact that bad reports have to be triage doesn't change with AI. What changed is the volume, clearly. So the reasonable response is not to blame "AI" but to ask for help with the added volume.

If HN gets flooded by AI spam, is the right response shutting down HN? spam is spam whether AI does it or a dedicated and coordinated large numbers of humans do it. The problem doesn't change because of who is causing it in this case.

> What changed is the volume, clearly.

The change in volume was the tipping point between bug bounties being offered and devs being able to handle bad reports, and bug bounty nixed because devs no longer willing to handle the floos.

And the root cause for the change in volume is generative AI.

So yes, this is causally related.

> The problem doesn't change because of who is causing it in this case.

Wrong.

Because SCALE MATTERS. Scale is the difference between a few pebbles causing a minor inconvenience, and a landslide destroying a house.

So whatever makes the pebbles become a landslide, changed the problem. Completely.

How can you say "wrong." and then go on to say scale matters, that means scale is the problem, not who is reporting it, you contradicted yourself.

We're in agreement that it is a scale issue. When something needs to scale, you address the scale problem. Obviously the devs can't handle this volume, and I agree with that there too. Our disagreement is the response.

I guarantee that if they asked for volunteers they'll get at least 100 within a week. They can filter by previous bug triage experience and experience with C and the code base. My suggestion is to let people other than the devs triage bug reports, that will resolve the scale problem. curl devs never have to see a bug not triaged by a human they've vetted. There is also no requirement on their part to respond to a certain number of bug reports, so with or without help, they can let the stack pile up and it will still be better than nothing.

You don't need a car to kill someone in traffic, but it's certainly much easier with one.