The Zig programming language has updated its code of conduct to ban LLM-generated code, vulnerability research, text-generation, and about anything AI at all
-
Where the heck did you read *that*?
@datenwolf @campuscodi „The Zig programming language has updated its code of conduct to ban LLM-generated code, vulnerability research, text-generation, and about anything AI at all“
OP said that. Banning any kind of vulnerability research is stupid. If you allow fuzzing why not allow AI based?
-
@datenwolf @campuscodi „The Zig programming language has updated its code of conduct to ban LLM-generated code, vulnerability research, text-generation, and about anything AI at all“
OP said that. Banning any kind of vulnerability research is stupid. If you allow fuzzing why not allow AI based?
Yes?!
Banning LLM generated "vulnerability" ""research"" is the proper proactive move. They've taken the lesson from cURL which was drowning in LLM generated vuln reports, of which only a tiny fraction was actually valid; the rest was fabricated noise.
If the signal-to-noise ratio gets degraded by some "tool", than this tool does more ham than good, as it will obscure legit reports.
The fabricated reports take away time from looking at the legit stuff.
-
Yes?!
Banning LLM generated "vulnerability" ""research"" is the proper proactive move. They've taken the lesson from cURL which was drowning in LLM generated vuln reports, of which only a tiny fraction was actually valid; the rest was fabricated noise.
If the signal-to-noise ratio gets degraded by some "tool", than this tool does more ham than good, as it will obscure legit reports.
The fabricated reports take away time from looking at the legit stuff.
Also they're not banning the submission of reports on issues that a human has thought through and written a PoC by hand, even if the actual detection of the issue was found by some AI tool.
What's banned is offloading the whole work of "detection / PoC / writing report / submission" to AI. We want whoever did the submission also have thorough understanding of what's going on; we want to be able to inquire the thought process. You can't introspect an LLM.
-
Yes?!
Banning LLM generated "vulnerability" ""research"" is the proper proactive move. They've taken the lesson from cURL which was drowning in LLM generated vuln reports, of which only a tiny fraction was actually valid; the rest was fabricated noise.
If the signal-to-noise ratio gets degraded by some "tool", than this tool does more ham than good, as it will obscure legit reports.
The fabricated reports take away time from looking at the legit stuff.
@datenwolf @campuscodi you should read up on that. Curl does use AI to identify vulnerabilities themselves:
Mythos finds a curl vulnerability
yes, as in singular one. Back in April 2026 Anthropic caused a lot of media noise when they concluded that their new AI model Mythos is dangerously good at finding security flaws in source code. Apparently Mythos was so good at this that Anthropic would not release this model to the public yet but instead … Continue reading Mythos finds a curl vulnerability →
daniel.haxx.se (daniel.haxx.se)
Vulnerability submission != vulnerability research.
If they would require a human in the loop before submitting vulns, that would make sense. To ban usage of AI for vulnerability research is just plain stupid. To disallow any method to find vulnerabilities is security by obscurity and should be treated as such. -
Also they're not banning the submission of reports on issues that a human has thought through and written a PoC by hand, even if the actual detection of the issue was found by some AI tool.
What's banned is offloading the whole work of "detection / PoC / writing report / submission" to AI. We want whoever did the submission also have thorough understanding of what's going on; we want to be able to inquire the thought process. You can't introspect an LLM.
@datenwolf @campuscodi then tell OP to update his hilarious „AI bad“ post to reflect that - not me.
-
About that… ask the cURL developers how well that work(ed) for them. TL;DR: they were drowning in LLM generated vulnerability reports, of which only a tiny fraction were actually valid. Any tool that dramatically degrades the signal-to-noise ratio does more harm than good.
@datenwolf @Beggarmidas @campuscodi well, that is just outdated information. Now they are mostly high quality reports... https://daniel.haxx.se/blog/2026/04/22/high-quality-chaos/
-
@datenwolf @campuscodi then state that instead. There no benefit in doing it that way. Forbidding a tool to be used is stupid. Requiring human oversight is not. Curl somewhat roled back in their statement and so will zig.
-
@datenwolf @campuscodi but the „benevolent“ chief master of awesomeness said it differently in the interview:
—
They will accept no LLM-generated content, nothing paraphrased from an LLM, and nothing edited, brainstormed, or debugged by an LLM. In short: Keep AI out of it.
On the JetBrains podcast, Zig President Andrew Kelley called AI-assisted contributions "invariably garbage."
—So perhaps it’s time to tell Donny about the actual policy…
-
@johan_andersson @campuscodi could you not spam hashtags inside your message ? this really messes up the flow with screen readers, making your posts less accessible
also that change was before bun got "rewritten" in rust
@SRAZKVT @campuscodi My apologies; I'm new to Mastodon and I thought I was following best practices per fedi.tips. Still learning!
-
@SRAZKVT @campuscodi My apologies; I'm new to Mastodon and I thought I was following best practices per fedi.tips. Still learning!
@johan_andersson @campuscodi hashtags are fine, but it is generally better to put them at the end of posts, then they all bunched together, rather than blended into the message
-
R relay@relay.infosec.exchange shared this topic
