# D2DO277: AI Security Submissions at Curl Dev

Page: https://stenobird.com/podcast/day-two-devops/d2do277-ai-security-submissions-at-curl-dev
Text version: https://stenobird.com/podcast/day-two-devops/d2do277-ai-security-submissions-at-curl-dev.md
Podcast: [Day Two DevOps](https://stenobird.com/podcast/day-two-devops)
Published: 2025-07-16T13:59:22+00:00
Episode link: https://packetpushers.net/podcasts/day-two-devops/d2do277-ai-security-submissions-at-curl-dev/
Audio file: https://feeds.packetpushers.net/link/20975/17097132/D2DO277.mp3
Processing state: processed
JSON: https://stenobird.com/v1/public/podcasts/day-two-devops/episodes/d2do277-ai-security-submissions-at-curl-dev
Duration seconds: 2110

## Resource

Daniel Stenberg, the creator of curl, discusses the rising tide of low-quality, AI-generated security reports flooding open-source maintainers. He explores why AI lacks the domain context to distinguish between internal code vulnerabilities and exploitable API flaws.

## Highlights
- Main idea: AI-generated security reports often lack the necessary context of API boundaries, leading to reports on non-exploitable internal functions
- Failure mode: LLMs frequently hallucinate non-existent repositories and hyperlinks when asked to verify the scope of a vulnerability
- Practical takeaway: AI is a useful pattern-matching tool for experts, but it remains a 'blunt tool' that requires heavy human verification
- Trend: Approximately 20% of recent security submissions to curl have been identified as 'AI slop' or low-quality automated reports
- Risk: High volumes of automated, false-positive reports act as a form of 'sand in the machine,' disrupting the workflow of maintainers

## Topics

curl, open source security, artificial intelligence, vulnerability research, software maintenance, libcurl, bug bounties, LLM hallucinations

## Chapters
- 3:25 — The Origins of curl: Daniel recounts how curl began in 1996 as a 100-line tool for an IRC bot to track currency rates.
- 5:50 — Massive Scale and Growth: A look at curl's evolution from a small utility to 180,000 lines of code used in everything from cars to printers.
- 8:15 — libcurl and the Internet: Understanding the massive footprint of libcurl across the global internet infrastructure beyond the command-line tool.
- 11:15 — The Rise of AI Security Reports: The emergence of automated security and feature reports and the potential for AI to assist or hinder maintainers.
- 13:45 — The Bounty Hunter Problem: How AI-driven automation is being used by individuals to hunt for bug bounties, often leading to low-quality submissions.
- 16:40 — Context Loss in AI Explanations: How using AI to explain bugs can actually obscure the original problem by losing critical technical context.
- 19:20 — The Burden of False Positives: The disruptive impact of high-priority, automated reports that require significant engineering time to debunk.
- 24:15 — Navigating AI Slop: Analyzing the increase in 'AI slop' submissions and the difficulty of managing automated noise in open source.

## Actions

- request_transcript: `POST https://stenobird.com/v1/public/podcasts/day-two-devops/episodes/d2do277-ai-security-submissions-at-curl-dev/transcription-requests` — Idempotently request low-priority transcript generation for this episode.
- read_markdown: `GET https://stenobird.com/podcast/day-two-devops/d2do277-ai-security-submissions-at-curl-dev.md` — Read the agent-friendly Markdown representation of this episode resource.

A page view does not enqueue transcription. Agents should invoke `request_transcript` explicitly when they need this episode processed.

## Transcript

Full transcripts are not published on public pages unless there is a clear rights basis.