Tiny Spoon

Big AI news, in small bites

← All items
GOVERNANCEOther

Curl Drowns In AI Reports

26MAY

Daniel Stenberg, curl's lead maintainer for 28 years, posts "The pressure". AI-assisted security reports against curl have more than doubled. Quality is up, but volume has crossed into burnout territory for the entire security team.

4-5x more security reports than 2024. Double the 2025 rate. More than one report per day, every day. The reports are real, detailed, often valid.

Stenberg's wife asked him about his work hours for the first time in his career. The curl team feels obligated to triage every report because most are now credible. AI tools help researchers and attackers move at LLM speed. Maintainers don't. The asymmetry is the story.

For execs running security programs: the AI-offense side is in production. Audit dependency footprint. For PMs at security vendors: a new buyer emerged. The maintainer drowning in valid reports needs triage tooling.

▾ full brief & sources

Why this matters

  • "AI helps engineers" is half the story. AI also helps researchers. Same dependencies, both sides.
  • Open source security now runs on a velocity asymmetry. Reports come in at LLM speed. Triage doesn't.
  • Stenberg's voice is rare credibility. curl runs in 30+ billion devices. 28-year maintainer.

🔍 What happened

  • May 26, 2026. Daniel Stenberg posts "The pressure" on daniel.haxx.se.
  • Report rate: 4-5x vs 2024. 2x vs 2025. Over 1 report per day on average.
  • Quality is up: detailed, often valid bugs. Severity stays LOW or MEDIUM.
  • curl killed the HackerOne bug bounty Jan 31, 2026 (over AI slop). Reports now go through GitHub.
  • Linus Torvalds (Linux kernel): security mailing list "almost entirely unmanageable" from duplicates.
  • Simon Willison amplifies via his weblog (May 26).

💬 Smart takes

  • Stenberg: "For the first time in my life, my wife voiced concerns about my work hours and my imbalanced work/life situation."
  • Stenberg at FOSDEM 2026: AI augments humans "in two directions: the bad way or the good way."
  • Skeptic: curl could ignore reports. They choose not to out of responsibility. That choice doesn't scale to every project. Most open source security teams will simply break.

🧭 Where this goes

  1. A "maintainer triage assistant" startup raises a seed round before Q4 2026.
  2. Anthropic Glasswing and OpenAI's offensive research labs face pressure to fund defense too.
  3. Open Source Pledge gains traction as labs are asked to underwrite maintainer time.
  4. CISA or EU CRA introduces "AI-assisted disclosure" reporting standards by 2027.

🎯 Implication

  • For execs at companies relying on open source: AI security work shifts cost to maintainers you don't pay. Audit funding contribution policy.
  • For PMs at security tools: ship a triage layer that batches and dedups LLM-generated reports. Open source maintainers are the new buyer.
·daniel.haxx.se - The pressure (Daniel Stenberg, May 26)·Simon Willison - The pressure (May 26 link blog)·Help Net Security - AI is drowning software maintainers in junk security reports