Last year, Daniel Stenberg's problem was fake bug reports. This year, it's real ones - too many of them.
Stenberg maintains cURL, the networking library running on billions of devices. In 2024, his inbox filled with AI-generated garbage: low-quality or fabricated security vulnerability reports submitted by people hoping to game bug bounty programs. Projects like glibc, Vim, and Node.js dealt with the same flood. Filtering the noise consumed real time and volunteer energy.
That phase appears to be ending. AI code scanning tools have improved enough that they're now finding genuine security flaws, and they're doing it fast. Stenberg recently described the new reality: "They're submitted in a never-before seen frequency and put us under serious load."
The Triage Gap
Finding a vulnerability is roughly 20% of the work. Everything after - confirming it's real, assessing severity, building a fix, testing it, coordinating the release, and managing disclosure - that's where the time goes. All of it requires experienced humans.
Security specialist Steve M. Hernandez described the problem directly: "High quality reports at higher frequency still require the triage capacity and decision consistency to keep up."
AI tools made vulnerability detection accessible to anyone with a laptop. They didn't make the fixing any easier. A volunteer team that could reasonably handle 15 quality security reports a year now faces 60. The tools don't come with extra maintainers.
Coordinated Disclosure Gets Harder
Willy Tarreau, who maintains HAProxy (a widely-used load balancer for routing web traffic), raised a second concern: the standard model for handling security disclosures may be breaking down.
The established practice is coordinated disclosure - a researcher finds a bug, notifies the maintainer privately, the maintainer gets typically 90 days to patch it, then the vulnerability gets published. This works when finding the bug required weeks of specialized human effort.
It stops working when multiple independent researchers run the same AI scanner on the same codebase in the same week. If five people find the same vulnerability simultaneously, coordinating a shared disclosure timeline becomes nearly impossible.
For most open-source projects, this is a problem with no obvious fix yet. Better tooling found the bugs. That's good. The question now is how to scale the human layer that comes after.