转自：CSDN（ID：CSDNnews） 被 AI 生成的大量"垃圾漏洞报告"拖垮，维护者疲于应付、难以评估代码质量，最终不得不叫停一项运行多年的漏洞赏金计划——这是 开源数据传输工具 curl 近期发生的真实故事，也可能是越来越多开源项目正在面对的现实。 上周，curl 创始人兼首席开发者 Daniel Stenberg 向 GitHub 仓库提交了一条直白得几乎有些"冷酷"的 Commit，标题是： 「BUG-BOUNTY.md：我们将于 2026 年 1 月底停止漏洞赏金计划」 在这条提交中，他明确表示，将删除项目中所有与漏洞赏金和 HackerOne 平台相关的内容。这意味着，自 2019 年启动、持续运行 多年的 curl 漏洞奖励计划，正式走向终点。 被"AI 垃圾"压垮的小型维护团队 在随后公开的说明中，Daniel Stenberg 并没有回避这背后的真实原因。 "我们只是一个小型开源项目，活跃维护人员数量有限，"他写道，"我们没有能力去改变这些人及其'垃圾生成工具'的运作方式。 为了 项目能够继续活下去，也为了维护者的心理健康，我们必须做出调整。 " 作为互联网上最常用的网络工具之一，cur ...

「BUG-BOUNTY.md：我们将于 2026 年 1 月底停止漏洞赏金计划」 在这条提交中，他明确表示，将删除项目中所有与漏洞赏金和 HackerOne 平台相关的内容。这意味着，自 2019 年启动、持续运行多年的 curl 漏洞奖励计划，正式走向终点。 被"AI 垃圾"压垮的小型维护团队 被 AI 生成的大量"垃圾漏洞报告"拖垮，维护者疲于应付、难以评估代码质量，最终不得不叫停一项运行多年的漏洞赏金计划——这是开 源数据传输工具 curl 近期发生的真实故事，也可能是越来越多开源项目正在面对的现实。 上周，curl 创始人兼首席开发者 Daniel Stenberg 向 GitHub 仓库提交了一条直白得几乎有些"冷酷"的 Commit，标题是： 在随后公开的说明中，Daniel Stenberg 并没有回避这背后的真实原因。 "我们只是一个小型开源项目，活跃维护人员数量有限，"他写道，"我们没有能力去改变这些人及其'垃圾生成工具'的运作方式。为了项 目能够继续活下去，也为了维护者的心理健康，我们必须做出调整。" 作为互联网上最常用的网络工具之一，curl 项目近年来收到的漏洞报告质量在急剧下滑，很多 ...

Technology & Development - A 200,000 line socket library in C was built using Grok [1] - A curl implementation was written in approximately 470 lines of code and 240 lines of comments [1] - The library handles HTTPS, HTTP/2, Happy Eyeballs, TLS 1.3, redirect following, and connection pooling [1] - The company is preparing to release low-level network code [1]

Core Viewpoint - The curl project founder Daniel Stenberg has expressed frustration over the increasing number of low-quality AI-generated vulnerability reports, which he likens to a form of DDoS attack on project maintenance efforts [1][2][3]. Group 1: AI-Generated Reports Impact - Stenberg highlighted that project maintainers are spending excessive time categorizing AI-assisted vulnerability reports, often finding them to be worthless [2][3]. - The proportion of low-quality reports has been steadily increasing, with Stenberg noting that the project has never received a valid bug report generated by AI [3][4]. - The influx of these reports is causing significant strain on open-source maintainers, many of whom are volunteers, leading to potential burnout and attrition within the community [8][9]. Group 2: Community Response and Recommendations - Seth Larson from the Python development team has echoed concerns about the time and resources wasted on these reports, suggesting that they should be considered malicious content [6][7]. - Larson emphasized the need for systemic changes in the open-source security domain, advocating for a more regulated and transparent contribution oversight system [9][10]. - Recommendations include financial support for projects and encouraging more professionals to contribute, creating a more diverse participation landscape [10][11]. Group 3: Ethical Considerations and Accountability - Larson urged vulnerability submitters to adhere to professional ethics and avoid submitting unverified AI-generated reports, as current AI technologies lack true code comprehension [12]. - Vulnerability management platforms are called upon to take responsibility and implement measures to curb the misuse of automated tools and the proliferation of malicious reports [13]. Group 4: Broader Implications and Concerns - The rise of AI-generated reports is seen as part of a larger trend affecting various sectors, with concerns that it could lead to a significant erosion of trust and quality in open-source projects [25][27]. - There is a fear that reliance on AI could mislead management into believing that they can reduce the number of experienced developers, which poses a risk to the integrity of software development [27][28].

Core Insights - The founder of the curl project, Daniel Stenberg, expressed frustration over the increasing number of low-quality AI-generated vulnerability reports, which he likened to a DDoS attack on project maintenance efforts [2][3][10] - New regulations have been introduced for submitting security reports on HackerOne, requiring researchers to disclose if AI was used in their findings, with strict consequences for those submitting low-quality reports [2][3][13] - The rise of AI-generated reports is causing significant strain on open-source maintainers, leading to concerns about burnout and the sustainability of volunteer contributions [5][6][10] Group 1: AI-Generated Reports Impact - Stenberg highlighted that the volume of AI-assisted vulnerability reports has surged, requiring maintenance personnel to spend excessive time categorizing them, often finding them to be worthless [2][3] - The curl project has never received a valid bug report generated by AI, and the proportion of junk reports continues to rise [2][3][13] - The situation is not unique to curl; similar concerns have been raised by other open-source projects, such as Python, indicating a broader trend affecting the community [5][6][10] Group 2: Community Response and Solutions - There is a call for the open-source community to take proactive measures to mitigate the negative impact of AI-generated reports, emphasizing the need for systemic changes in how contributions are managed [6][7] - Suggestions include funding support for projects and encouraging more professionals to contribute, creating a more diverse participation landscape [6][7] - The importance of ethical reporting practices is stressed, with a recommendation for submitters to avoid AI-generated reports that lack human verification [6][7] Group 3: Broader Implications - The proliferation of low-quality reports is seen as a potential threat to the integrity of open-source projects, as they consume valuable time and resources of maintainers [5][10] - Concerns have been raised about the perception of AI in the tech industry, with some executives mistakenly believing that AI can replace experienced developers, leading to systemic chaos [19][20] - The community is urged to filter out obvious AI-generated reports to maintain quality and efficiency, highlighting the need for vigilance against the influx of such content [19][20]