<![CDATA[AIs have been finding bugs and vulnerabilities in #curl for some time.]]>AIs have been finding bugs and vulnerabilities in for some time.

Is it work to fix those? Yes.

Has someone paid for this? Partially (wolfSSL and @sovtechfund)

Are the AIs annoying? Yes, very.

Could humans find the same bugs? Yes, if they‘d somehow avoid being bored to death through it.

Was there something „heartbleed“ like? No.

Were there lots of C mistakes? No, logic bugs mostly.

Do AIs run out of steam? Yes. After a while a model stops finding things. Findings differ per model.

]]>https://forum.fedi.dk/topic/7cad457c-3ca0-4bb1-a737-2465d55dc714/ais-have-been-finding-bugs-and-vulnerabilities-in-curl-for-some-time.RSS for NodeWed, 22 Apr 2026 17:40:09 GMTSat, 18 Apr 2026 06:34:29 GMT60<![CDATA[Reply to AIs have been finding bugs and vulnerabilities in #curl for some time. on Sat, 18 Apr 2026 11:16:36 GMT]]>@jfbucas @icing @sovtechfund @bortzmeyer For a while, I guess. There is a limit we already seem to be seeing: the amount of bugs is large, but not infinite. Also: once we integrate a check using these LLM’s into our build chains, the amount of bugs discovered after release may actually go down, eventually.

]]>https://forum.fedi.dk/post/https://mastodon.nl/users/mkoek/statuses/116425424670804276https://forum.fedi.dk/post/https://mastodon.nl/users/mkoek/statuses/116425424670804276Sat, 18 Apr 2026 11:16:36 GMT<![CDATA[Reply to AIs have been finding bugs and vulnerabilities in #curl for some time. on Sat, 18 Apr 2026 09:33:48 GMT]]>@tkissing @icing @sovtechfund Even better: ’s own employees whipped up some pipeline to channel all the findings to Upwork and similar click-work platforms, which then makes underpaid laborers do the actual work.

]]>https://forum.fedi.dk/post/https://chaos.social/users/fnwbr/statuses/116425020408126748https://forum.fedi.dk/post/https://chaos.social/users/fnwbr/statuses/116425020408126748Sat, 18 Apr 2026 09:33:48 GMT<![CDATA[Reply to AIs have been finding bugs and vulnerabilities in #curl for some time. on Sat, 18 Apr 2026 09:23:17 GMT]]>@icing @sovtechfund Call me overly skeptic, but remembering Builder.ai I would not be surprised if Anthropic has a bunch of engineers run Mythos on a few high-profile projects and filter out all the bad reports before they get actually posted to make their model look better than it is.

]]>https://forum.fedi.dk/post/https://mastodon.social/users/tkissing/statuses/116424979081124038https://forum.fedi.dk/post/https://mastodon.social/users/tkissing/statuses/116424979081124038Sat, 18 Apr 2026 09:23:17 GMT<![CDATA[Reply to AIs have been finding bugs and vulnerabilities in #curl for some time. on Sat, 18 Apr 2026 09:00:55 GMT]]>@connynasch @icing @sovtechfund
Update from daniel
https://mastodon.social/@bagder/116407367327224765

]]>https://forum.fedi.dk/post/https://mas.to/users/aliengasmask/statuses/116424891110634248https://forum.fedi.dk/post/https://mas.to/users/aliengasmask/statuses/116424891110634248Sat, 18 Apr 2026 09:00:55 GMT<![CDATA[Reply to AIs have been finding bugs and vulnerabilities in #curl for some time. on Sat, 18 Apr 2026 08:28:13 GMT]]>@jfbucas @mkoek @sovtechfund @bortzmeyer

The speed is enabled by skewing the economics. People can search for bugs using billions of investment at little cost.

Open Source has increased load due to this, but is not at risk. We do not guarantee any fitness for purpose.

Businesses, especially the ones not *always* running the latest version of software, are more exposed.

But we do not see an uptake of investment into project security from the commercial side.

]]>https://forum.fedi.dk/post/https://chaos.social/users/icing/statuses/116424762530923115https://forum.fedi.dk/post/https://chaos.social/users/icing/statuses/116424762530923115Sat, 18 Apr 2026 08:28:13 GMT<![CDATA[Reply to AIs have been finding bugs and vulnerabilities in #curl for some time. on Sat, 18 Apr 2026 08:14:30 GMT]]>@mkoek @icing @sovtechfund @bortzmeyer

Isn't the fundamental difference the speed of discovering new issues, mixing highlevel knowledge from various parts of the stack?

It's going to be a bit hairy for the next months/years while everybody cope on?

]]>https://forum.fedi.dk/post/https://mastodon.dias.ie/users/jfbucas/statuses/116424708650620553https://forum.fedi.dk/post/https://mastodon.dias.ie/users/jfbucas/statuses/116424708650620553Sat, 18 Apr 2026 08:14:30 GMT<![CDATA[Reply to AIs have been finding bugs and vulnerabilities in #curl for some time. on Sat, 18 Apr 2026 07:39:23 GMT]]>@icing @sovtechfund https://thenewstack.io/curls-daniel-stenberg-ai-is-ddosing-open-source-and-fixing-its-bugs/ I found this 🤔

]]>https://forum.fedi.dk/post/https://mastodon.social/users/connynasch/statuses/116424570509084898https://forum.fedi.dk/post/https://mastodon.social/users/connynasch/statuses/116424570509084898Sat, 18 Apr 2026 07:39:23 GMT<![CDATA[Reply to AIs have been finding bugs and vulnerabilities in #curl for some time. on Sat, 18 Apr 2026 07:18:48 GMT]]>@icing @sovtechfund I’ve been in security almost 30 years and seen so many claims of “this will change the industry forever”. What’s remarkable to me is how constant it has been. We are still seeing basically the same issues as in 1999: bad passwords, missing updates, code injections, and, well, Microsoft. I may be getting blasé but I’m highly skeptical that this AI stuff is going to change anything fundamental about that. @bortzmeyer

]]>https://forum.fedi.dk/post/https://mastodon.nl/users/mkoek/statuses/116424489579609178https://forum.fedi.dk/post/https://mastodon.nl/users/mkoek/statuses/116424489579609178Sat, 18 Apr 2026 07:18:48 GMT