It’s not just them, but curl is one of the most popular open source projects in existence and it’s used in areas where security is a significant concern. The security industry has a lot of emphasis on someone’s portfolio for hiring, which isn’t bad (it beats “what frat were you in?”) but it means that there are a ton of early career people thinking that the path to a better job is getting credited for CVEs on major projects.

That’s a bad combination with LLMs which are almost perfect for letting the user think they’re being more productive than they actually are because the output sounds authoritative. You don’t have to be acting in bad faith to submit a slop report, just being inexperienced and over-confident will work if you don’t have enough experience in the area to reason about the security of the entire system.