The AI slop security reporting is basically extinct.

Reply to The AI slop security reporting is basically extinct. on Wed, 15 Apr 2026 15:43:31 GMT

stephanie@mastodon.social — Wed, 15 Apr 2026 15:43:31 GMT

@bagder Seems like all you need to do is take away the incentive to get rid of the low effort reports.

Sad they had to ruin it for real reporters now as they don’t get their (deserved) bounty anymore in exchange for the good work they’re doing.

Reply to The AI slop security reporting is basically extinct. on Wed, 15 Apr 2026 14:14:38 GMT

davidism@mas.to — Wed, 15 Apr 2026 14:14:38 GMT

@bagder Unfortunately that hasn't made it to Flask yet, we still get a bunch of AI slop. About 50 reports so far this year, none helpful. Typically we get < 10 per year, some helpful.

Reply to The AI slop security reporting is basically extinct. on Wed, 15 Apr 2026 13:28:59 GMT

ben@snac.benbuhse.com — Wed, 15 Apr 2026 13:28:59 GMT

@mjd@mathstodon.xyz @pozorvlak@mathstodon.xyz I mean, it’s terrible for the environment, has loads of ethical and moral concerns, and the companies are completely unsustainable. It’s pretty easy to hate

Reply to The AI slop security reporting is basically extinct. on Wed, 15 Apr 2026 12:37:32 GMT

nicolas17@social.treehouse.systems — Wed, 15 Apr 2026 12:37:32 GMT

@bagder I wonder how much of that is because you eliminated the bounty

Reply to The AI slop security reporting is basically extinct. on Wed, 15 Apr 2026 11:09:58 GMT

mdione@en.osm.town — Wed, 15 Apr 2026 11:09:58 GMT

@utopiah @bagder there's no irony at all, it's at minimum a marketing strategy.

Reply to The AI slop security reporting is basically extinct. on Wed, 15 Apr 2026 10:34:30 GMT

miketheman@hachyderm.io — Wed, 15 Apr 2026 10:34:30 GMT

@bagder you're lucky. I got 30+ yesterday. 1 was kind of credible. The others were effectively documented behaviors of projects.
There's still little to no consequences for wasting time - I've been thinking about the "name and shame" approach you have, maybe that helps change the behavior?

Reply to The AI slop security reporting is basically extinct. on Wed, 15 Apr 2026 10:23:44 GMT

ori@hj.9fs.net — Wed, 15 Apr 2026 10:23:44 GMT

Yes, it would be nice if we stopped building hell so people can roast a few marshmallows. Marshmallows are nice, but not that nice.

CC: @pozorvlak@mathstodon.xyz

Reply to The AI slop security reporting is basically extinct. on Wed, 15 Apr 2026 10:11:58 GMT

pozorvlak@mathstodon.xyz — Wed, 15 Apr 2026 10:11:58 GMT

@mjd ah, good point. Reliably bad reports waste a small amount of time, but more than zero. The worst case is reports that are only sometimes good, because then you have to read them all carefully.

Reply to The AI slop security reporting is basically extinct. on Wed, 15 Apr 2026 09:56:56 GMT

mjd@mathstodon.xyz — Wed, 15 Apr 2026 09:56:56 GMT

@pozorvlak If that were the reason, wouldn't they want the reports to be as good as possible, and be glad if the reports were all worth reading? But this person says they are disappointed!

Reply to The AI slop security reporting is basically extinct. on Wed, 15 Apr 2026 09:53:44 GMT

pozorvlak@mathstodon.xyz — Wed, 15 Apr 2026 09:53:44 GMT

@mjd I think so. But also, if all AI-generated bug reports are useless, you can stop reading as soon as you've decided a bug report came from an AI.

Reply to The AI slop security reporting is basically extinct. on Wed, 15 Apr 2026 09:50:05 GMT

utopiah@mastodon.pirateparty.be — Wed, 15 Apr 2026 09:50:05 GMT

@bagder sure, ironically enough there is no "I" in AI.

Reply to The AI slop security reporting is basically extinct. on Wed, 15 Apr 2026 09:47:03 GMT

mjd@mathstodon.xyz — Wed, 15 Apr 2026 09:47:03 GMT

@pozorvlak Now I think a more reasonable interpretation is: they are concerned about copyright violations, environmental damage, etc., and are dismayed that people like me use AI anyway. The fact of its getting better doesn't fix the other problems, and just means that there are fewer arguments against using it.

(“This is terrible” vs. “This is terrible, maybe when people realise that it doesn't work, they will stop.”)

Reply to The AI slop security reporting is basically extinct. on Wed, 15 Apr 2026 09:39:09 GMT

mjd@mathstodon.xyz — Wed, 15 Apr 2026 09:39:09 GMT

@pozorvlak To me, the most interesting part of that thread was this post.

This person considers AI their enemy. But not because it is wasting Stenberg's time. They wanted it to continue to waste Stenberg's time, so that they could continue to hate it more.

Reply to The AI slop security reporting is basically extinct. on Wed, 15 Apr 2026 08:30:48 GMT

alesandroortiz@infosec.exchange — Wed, 15 Apr 2026 08:30:48 GMT

@bagder Do reporters share the tools used, or are there strong tool indicators in the reports?

Curious about which tool(s) are most successful, at least for cURL research.

I imagine in most cases reporters don't mention the tools used (especially if custom), which is unfortunate.

Reply to The AI slop security reporting is basically extinct. on Wed, 15 Apr 2026 07:42:56 GMT

louisbotha@mastodon.social — Wed, 15 Apr 2026 07:42:56 GMT

@bagder Can't wait for your next graph

Reply to The AI slop security reporting is basically extinct. on Wed, 15 Apr 2026 07:20:25 GMT

stevel@hachyderm.io — Wed, 15 Apr 2026 07:20:25 GMT

@bagder I see
- good ones using AI as part of a rigorous process with replication
- mediocre where someone asked an AI "Find me a CVE", submits the report without review or replication, and yet still expects credit

If "have write access to the filesystem" is a prerequisite to an exploit: it's not an exploit. You already have total ownership of the server

Reply to The AI slop security reporting is basically extinct. on Wed, 15 Apr 2026 07:19:27 GMT

edmcbane@hachyderm.io — Wed, 15 Apr 2026 07:19:27 GMT

@Varpie @bagder 90% of the time it works every time. It probably improved dramatically, but still slop lingers?

Reply to The AI slop security reporting is basically extinct. on Wed, 15 Apr 2026 07:18:55 GMT

langerjan@chaos.social — Wed, 15 Apr 2026 07:18:55 GMT

@bagder Well, I guess you could quickly convince them otherwise with your "reports/ai-slop ratio" graph.

Reply to The AI slop security reporting is basically extinct. on Wed, 15 Apr 2026 07:06:38 GMT

bagder@mastodon.social — Wed, 15 Apr 2026 07:06:38 GMT

@utopiah probably, but also because the AIs can't really tell

Reply to The AI slop security reporting is basically extinct. on Wed, 15 Apr 2026 07:05:57 GMT

utopiah@mastodon.pirateparty.be — Wed, 15 Apr 2026 07:05:57 GMT

@bagder "they tend to overstress the vulnerability angle." which I imagine is simply because that's what the prompt suggested.

Reply to The AI slop security reporting is basically extinct. on Wed, 15 Apr 2026 07:05:32 GMT

grayrattus@mastodon.social — Wed, 15 Apr 2026 07:05:32 GMT

@bagder yeah. Sorry. More like summary of the situation.

Reply to The AI slop security reporting is basically extinct. on Wed, 15 Apr 2026 07:02:36 GMT

grayrattus@mastodon.social — Wed, 15 Apr 2026 07:02:36 GMT

@j_s_j @bagder @annika month.

Claude Mythos Preview \ red.anthropic.com

(red.anthropic.com)

Here you can read more.

Reply to The AI slop security reporting is basically extinct. on Wed, 15 Apr 2026 07:02:27 GMT

hughsie@mastodon.social — Wed, 15 Apr 2026 07:02:27 GMT

@bagder I get this with fwupd too. Everything that's AI found is reported as a CVSS 10.0 CRITICAL vulnerability, and then you find out it's assuming the attacker has write access on /etc or something dumb like that.

At that point it's just a regular old typo bugfix like all the other thousands of unimportant commits.

Reply to The AI slop security reporting is basically extinct. on Wed, 15 Apr 2026 07:02:03 GMT

bagder@mastodon.social — Wed, 15 Apr 2026 07:02:03 GMT

@grayrattus it was never my opinion as much as my summary of the situation... and the situation has changed quite drastically