jantangring - Slashdot User

Submission + - New problem: AI finds too many bugs (etn.se) 1

Submitted by jantangring on Wednesday April 08, 2026 @04:24AM

jantangring writes: The open source project cURL used to be flooded with worthless, AI-generated security reports. Over the past few months, those have vanished — replaced by genuinely useful ones. So many, in fact, that the maintainers are struggling to keep up, says Daniel Stenberg, who leads the project.

cURL is not alone.

“I hear similar witness reports from fellow maintainers in many other Open Source projects,” Stenberg writes on LinkedIn.

Several of those colleagues back him up in the discussion thread — among them the maintainers of glibc, Vim, and Node.js.

“Over the last few months, we have stopped getting AI slop security reports in the #curl project. They're gone. Instead we get an ever-increasing amount of really good security reports, almost all done with the help of AI,” says Stenberg.

Stenberg has a straightforward explanation for the shift – better tooling.

“HackerOne did basically nothing new that could explain this (plus, this is mirrored in countless other projects, many of them not on hackerone). This is a notable change in the incoming reports. I'd say it is primarily because the tooling has improved.”

HackerOne is the platform cURL uses to receive bug reports.

There is an unexpected downside to being flooded with good bug reports, though — there are simply too many to handle in time.

“They're submitted in a never-before seen frequency and put us under serious load,” says Stenberg.

The challenge used to be filtering out noise. Now it is keeping pace with reports that actually matter. That is how Steve M. Hernandez, a code security specialist, puts it.

“High quality reports at higher frequency still require the triage capacity and decision consistency to keep up. The bar is moving from filtering noise to keeping pace with real signal.”

Submission + - Cybercabs? But Tesla Still Doesn't Have a Self-Driving Car (etn.se)

Submitted by jantangring on Thursday February 19, 2026 @08:06AM

jantangring writes: Nope, a car does not magically become autonomous just because you remove the steering wheel. Tesla has begun mass-producing a vehicle designed without one, aiming squarely at the robotaxi market. But the most critical component is still missing: the self-driving system itself.

The Tesla Cybercab has now entered series production. Yet the vehicles might just as well be shipped straight to the scrapyard. They do not work. Tesla’s CEO hopes they soon will — and that hope is precisely why he is building them.

How do we know Cybercab’s autonomy doesn’t work?

Because it relies on the exact same underlying system as every other Tesla, and that system does not deliver true self-driving capability.

Removing the wheel and pedals will not suddenly make the technology function. That is magical thinking, not engineering.

The Teslas currently operating in Tesla’s experimental taxi service in Austin are driving under supervision. There is no compelling reason to believe they possess the robustness required for fully unsupervised operation.

Submission + - cURL removes bug bounties (etn.se)

Submitted by jantangring on Tuesday January 20, 2026 @12:21PM

jantangring writes: Open source code library cURL is removing the possibility to earn money by reporting bugs, hoping that this will reduce the volume of AI slop reports. Joshua Rogers – AI wielding bug hunter of fame – thinks it's a great idea.

cURL maintainer Daniel Stenberg famously reported on the flood AI-generated bad bug reports last year –

”Death by a thousand slops.”

Now cURL is removing the bounty payouts as of the end of January.

"We have to try to brake the flood in order not to drown”, says cURL maintainer Daniel Stenberg to Swedish electronics industry news site etn.se.

Despite being an AI wielding bug hunter himself, Joshua Rogers – slasher of a hundred bugs – thinks removing the bounty money is an excellent idea.

”I personally would have pulled the plug long ago,” he says to etn.se.

Comment Re: Vibe coding works fine... (Score 1) 25

by jantangring on Sunday October 19, 2025 @03:01AM (#65735708) Attached to: OpenAI Cofounder Builds New Open Source LLM 'Nanochat' - and Doesn't Use Vibe Coding

Is the Lovable tool what we in the nineties called a Wizard, or a Setup assistant? A template tuner?

Comment Vibe is for code you throw away (Score 2) 25

by jantangring on Sunday October 19, 2025 @01:04AM (#65735600) Attached to: OpenAI Cofounder Builds New Open Source LLM 'Nanochat' - and Doesn't Use Vibe Coding

" he wrote the whole thing by hand, vibes be damned."

That could mean Nanochat is not a throwaway weekend project.

Why are people forgetting the "throwaway" part of the definition of vibe coding ?

Submission + - AI slop? Not this time. Generative AI found 50 real bugs in cURL — and cou (etn.se)

Submitted by jantangring on Tuesday October 07, 2025 @02:45AM

jantangring writes: AI-generated bug reports are usually trash. But when a security researcher used LLM-based scanners the right way, he found 50 real bugs in libcURL. Swedish tech journal talks to cURL maintainer Daniel Stenberg and to Joshua Rogers, the Australian hacker / security researcher that is using AI tools to uncover loads of old bugs in open source projects.
Generative AI has now proven that it can independently discover new vulnerabilities in high-quality source code. New generative AI tools are suddenly digging up bugs that traditional static analysis tools have been overlooking for years.
”I’m actually overwhelmed by the quality of some of these findings”, says Daniel Stenberg, maintainer of the file-transfer library cURL, in an interview with Swedish industrial electronics news publisher Elektroniktidningen (etn.se).
In a well-known talk this August, Daniel Stenberg warned that he and his team were being flooded with AI-generated bug reports — wrong, confused, hallucinatory garbage created by generative AI.
Such “AI slop” has begun to waste valuable time for open-source maintainers, not only in cURL. The community is struggling with how to stem the tide.
Still, banning AI wasn’t the solution, Stenberg argued back then. He believed that AI might yet prove useful.
And he turned out to be right. In September, a batch of cURL bug reports arrived that has so far led to 50 fixes in the cURL library source code.
It marks a clean break from the previous wave of junk reports. There may have been the odd valid AI-based bug report before, but this time, Stenberg’s team implemented fifty fixes, all stemming from AI-generated reports. Once again the team is knee-deep in AI bug reports — but this time, they’re not slop. These are bugs that cURL’s regular analysis tools have been completely been overlooking.
“This is new,” says Daniel Stenberg. “It really looks like these new tools are finding problems that none of the old, established tools detect.”
“We regularly run clang-tidy, scan-build, CodeSonar and Coverity on the code, and whenever they find something, we fix it. So when all those tools report zero issues and someone suddenly finds hundreds, that’s pretty spectacular,” he adds — with some understatement.
All the bug reports came from one single developer: Joshua Rogers, an Australian with 15 years in cybersecurity, including at Opera Software in Poland. Today he works in security for a cryptocurrency company.
Over the past few months, he has been evaluating new AI-based tools and has started submitting bug reports to several open-source projects — including cURL, sudo, libwebm, Next.js, avahi, wpa_supplicant and squid.
None of the 50 bugs found in cURL were critical, but Rogers has discovered critical vulnerabilities elsewhere, including in source code from his former employer Opera Software. That bug was patched in early September.
Initially, Rogers hesitated to report bugs to cURL — familiar with Stenberg’s public stance on “AI slop”.
“Even though I could literally see the bugs in the code, I thought there was a 0.001% chance I was wrong — and I’d end up in the hall of shame,” Rogers says with a smile.
But he eventually gathered his courage and started sending reports.
After a while, Stenberg reached out curiously and asked where the reports were coming from.
”After I explained it to him, he asked me to send him the un-reviewed list of problems, and he'd triage them himself.”
“Triage” is a medical term — sorting patients by urgency. In software, it means prioritizing bug reports by severity.
Rogers says he’s received similarly astonished reactions from other open-source maintainers.
On his blog, he has shared insights into how he performs vulnerability analysis using LLM based SAST tools (Static Application Security Testing). His main message: these tools exist, and they’ve become incredibly good.

Comment Re: chess (Score 2) 238

by jantangring on Tuesday August 12, 2025 @01:32AM (#65583836) Attached to: LLMs' 'Simulated Reasoning' Abilities Are a 'Brittle Mirage,' Researchers Find

You should paste the full board after each move, to make sure positions don't drop out of his context window.

Comment Re: Ah yes, cheap batteries (Score 1) 100

by jantangring on Monday April 29, 2024 @01:42AM (#64431934) Attached to: Plunge in Storage Battery Costs Will Speed Shift to Renewable Energy, Says IEA

The text doesn't say 92 percent, 10 years and Powerwalls, it says 90 percent, 15 years and batteries.

Comment Re:He didn't get sick though (Score 1) 168

by jantangring on Monday August 24, 2020 @04:27PM (#60437157) Attached to: First Covid-19 Reinfection Has Been Documented

Indeed he did not!

”During his second infection, the man did not have any symptoms”

Philosophically, this is unfair towards Covid-19. Any other ”illness” – no one would ever have known.

Comment Slashdot editors are sucking up to Microsoft (Score 1) 194

by jantangring on Monday November 11, 2019 @05:27AM (#59402182) Attached to: Reactions To the News That Microsoft's Edge Browser Is Coming to Linux

... it happens too often to be just a coincidence.

There must be money involved, right?

Thank God for Slashdot commenters!

Comment Re: The same Bloomberg of Supermicro non-evidence? (Score 1) 166

by jantangring on Tuesday April 30, 2019 @01:52PM (#58517364) Attached to: Vodafone Says It Found Hidden Backdoors in Huawei Equipment

No

Comment Re: Interesting Spin.. (Score 1) 166

by jantangring on Tuesday April 30, 2019 @01:46PM (#58517330) Attached to: Vodafone Says It Found Hidden Backdoors in Huawei Equipment

ÂWithout knowing the specifics of the vulnerabilitiesÂ

The ÂbackdoorÂ is Telnet. Vodafone instructed Huawei to uninstall Telnet. Huawei agreed to do that, but didn't, because they needed it for installation and test. It sounds from the story like they only killed it.

Comment Re: LEARN TO READ ILLITERATE ARCHTECH FAGGOT (Score 1) 166

by jantangring on Tuesday April 30, 2019 @01:37PM (#58517284) Attached to: Vodafone Says It Found Hidden Backdoors in Huawei Equipment

ÂIn China, a company is a Chia pet. The state tells them what to do, and they do it.

There is no hard evidence that's happened with Huawei.Â -- 60 minutes

Nothing has changed since then.

Comment Re:Recycle everthing possible ffs (Score 1) 109

by Half-pint HAL on Saturday September 15, 2018 @07:56AM (#57318730) Attached to: Road Makers Turn To Recycled Plastic For Tougher Surfaces

It maybe a inferior product, but if it takes less energy to generate then starting from scratch you are still coming out ahead.

Many forms of recycling take more energy than working from raw materials. Such recycling is only commercially viable thanks to the high charges for landfill and dumping of used goods.

Comment Re:Recycle everthing possible ffs (Score 1) 109

by Half-pint HAL on Saturday September 15, 2018 @07:53AM (#57318726) Attached to: Road Makers Turn To Recycled Plastic For Tougher Surfaces

How is that not recycling?

Because classically, "recycling" means putting it back through industrial processes to manufacture a new item. The extended meaning of recycling to cover reuse, repair and repurposing inadvertently puts carbon-intensive collection and reprocessing of glass on an equal footing with not putting the glass in the bin at all and using it to store things instead of silly plastic Tupperware items.

Slashdot Top Deals