| ▲ | vitrealis 7 hours ago | |
Why is cURL specifically receiving so many slop contributions? Or is this a recent phenomenon for every open-source project, and cURL are the ones most spoken of? First time commenting on HN! | ||
| ▲ | dirkt 7 hours ago | parent | next [-] | |
They offered a bug bounty, so people think "let me just use ChatGPT to make money for myself". But from I hear it affects other projects too. It affected curl more because with the bug bounty they actually need to invest work and look at those. [1] https://daniel.haxx.se/blog/2024/01/02/the-i-in-llm-stands-f... [2] https://daniel.haxx.se/blog/2025/07/14/death-by-a-thousand-s... | ||
| ▲ | hypfer 7 hours ago | parent | prev | next [-] | |
cUrl as a project has a lot of conceptual attack surface for someone looking to find _anything_. It is large, very popular (hence impact) and written in C. It supports many many many protocols with all of their real-world implementation quirks. Obscure or mainstream. And always handling user-controlled data. If your motivation is a cool CVE for your CV, you'd pick such a project as the target of your efforts. | ||
| ▲ | acdha 2 hours ago | parent | prev [-] | |
It’s not just them, but curl is one of the most popular open source projects in existence and it’s used in areas where security is a significant concern. The security industry has a lot of emphasis on someone’s portfolio for hiring, which isn’t bad (it beats “what frat were you in?”) but it means that there are a ton of early career people thinking that the path to a better job is getting credited for CVEs on major projects. That’s a bad combination with LLMs which are almost perfect for letting the user think they’re being more productive than they actually are because the output sounds authoritative. You don’t have to be acting in bad faith to submit a slop report, just being inexperienced and over-confident will work if you don’t have enough experience in the area to reason about the security of the entire system. | ||