I think I've posted a couple of articles before from Daniel Stenberg, the head maintainer of curl, about how the project has struggled with AI slop bug reports and submissions. Curl has a bug bounty program, where developers who analyze the code and find serious issues and vulnerabilities and report them so they can be fixed can get paid for their time, effort, and contribution. It was a pretty good incentive to get eyes on your code, in the pre-LLM world.
But since the advent of chatbots that can (ostensibly) code, bug bounty programs like curl's have been flooded with zero-time, zero-effort submissions from people who aren't developers and in many cases don't even know how to code, but are just feeding curl's code to chatbots and asking them to produce bug reports - which 99% of the time aren't actual bugs or vulnerabilities, or are issues that would never arise in any reasonable use, or are even flat-out hallucinations citing functions that don't even exist in the code at all - in hopes that with enough volume something will eventually "stick" and earn them a payday. The people submitting these reports can't effectively communicate because they literally don't even know what the reports they've submitted actually say or mean, so they have to use their chatbots to answer dev responses and questions, which quickly becomes farcical and often results in the promptfondlers throwing a dramatic hissy-fit because their "work" isn't being properly appreciated.
The dev team meanwhile is severely overtaxed because it really does have to make an effort to follow up on every report
just in case it's legitimate. It's been really bad for a while, but curl is finally
ending its bug bounty program at the end of January. Not because it's been having to pay money to any of these guys, but purely in hopes that taking away the carrot will make the clanker spam stop.
arstechnica.com
