Core Viewpoint - The curl project founder Daniel Stenberg has expressed frustration over the increasing number of low-quality AI-generated vulnerability reports, which he likens to a form of DDoS attack on project maintenance efforts [1][2][3]. Group 1: AI-Generated Reports Impact - Stenberg highlighted that project maintainers are spending excessive time categorizing AI-assisted vulnerability reports, often finding them to be worthless [2][3]. - The proportion of low-quality reports has been steadily increasing, with Stenberg noting that the project has never received a valid bug report generated by AI [3][4]. - The influx of these reports is causing significant strain on open-source maintainers, many of whom are volunteers, leading to potential burnout and attrition within the community [8][9]. Group 2: Community Response and Recommendations - Seth Larson from the Python development team has echoed concerns about the time and resources wasted on these reports, suggesting that they should be considered malicious content [6][7]. - Larson emphasized the need for systemic changes in the open-source security domain, advocating for a more regulated and transparent contribution oversight system [9][10]. - Recommendations include financial support for projects and encouraging more professionals to contribute, creating a more diverse participation landscape [10][11]. Group 3: Ethical Considerations and Accountability - Larson urged vulnerability submitters to adhere to professional ethics and avoid submitting unverified AI-generated reports, as current AI technologies lack true code comprehension [12]. - Vulnerability management platforms are called upon to take responsibility and implement measures to curb the misuse of automated tools and the proliferation of malicious reports [13]. Group 4: Broader Implications and Concerns - The rise of AI-generated reports is seen as part of a larger trend affecting various sectors, with concerns that it could lead to a significant erosion of trust and quality in open-source projects [25][27]. - There is a fear that reliance on AI could mislead management into believing that they can reduce the number of experienced developers, which poses a risk to the integrity of software development [27][28].

近日，curl 项目（一款用于通过 URL 传输数据的命令行工具和库）创始人 Daniel Stenberg 在领英发帖称，已经受够了由 AI 生成的大量"垃圾"漏洞报告， 因此近期引入额外复选框，用以过滤此类平白浪费维护人员时间的低效提交内容。 1 curl 创始人被 AI 垃圾"逼疯了" Stenberg 表示，项目维护人员需要花费大量时间对每一份通过 HackerOne 提交的 AI 辅助漏洞报告进行分类，但往往发现这些报告的内容一无可取，在效 果上约等于针对项目发起的 DDoS 攻击。 Stenberg 在 LinkedIn 上引用了近期一份"令他忍无可忍"的报告，并表示"到此为止吧，我受够了。我要坚决制止这种疯狂行为。" 在 HackerOne 上提交 curl 相关安全报告有了一些新规定，例如所有通过 HackerOne 提交 Curl 安全报告的研究人员，现在必须回答以下问题： "您是否使用 AI 来发现该漏洞或生成此报告？" 如果选择"是"，bug 报告者将会面临一连串后续问题，包括要求他们提供相关证据以证明该 bug 真实存在，而后 curl 团队才会花时间加以验证。 Stenberg 补充 ...