AI is drowning software maintainers in junk security reports

AI-assisted vulnerability research has exploded, unleashing a firehose of low-quality reports on overworked software maintainers who are wasting hours sifting through noise instead of fixing real problems.

Linus Torvalds, the Linux kernel’s creator, says the flood has made the project’s security mailing list “almost entirely unmanageable, with enormous duplication due to different people finding the same things with the same tools.”

Too many duplicates, and too much AI slop

“If you found a bug using AI tools, the chances are somebody else found it too,” Torvalds wrote in the note accompanying the latest Linux kernel release candidate.

“If you actually want to add value, read the documentation, create a patch too, and add some real value on *top* of what the AI did. Don’t be the drive-by ‘send a random report with no real understanding’ kind of person.”

Jarom Brown, Senior Product Security Engineer at GitHub, acknowledged last week that while AI lowering the barrier to entry for security research is a welcome development, his team is being inundated by submissions that fail to demonstrate any real security impact.

These include reports without a proof of concept, theoretical attack scenarios that don’t hold up under scrutiny, and findings already covered by GitHub’s published ineligible list.

And GitHub isn’t the only recipient of this unwanted deluge.

“Programs across the industry are grappling with the same challenge, and some have shut down entirely,” he said.

GitHub has stopped short of such a drastic measure, but is now requiring submitters to validate AI-assisted findings before sending them in.

Going forward, a complete submission must also include a working proof of concept demonstrating exploitation potential and concrete security impact.

Also, reports covering known ineligible categories will be closed as Not Applicable, which may impact the submitter’s HackerOne Signal and reputation, he added.

Finally, Brown urged researchers to be concise: bloated, AI-padded reports slow down triage and waste everyone’s time.

The researcher’s view

The collateral damage extends beyond the programs themselves. Shubham Shah, co-founder of Assetnote and a respected security researcher, says organizations are now taking far longer to review legitimate reports and act on real flaws, and that’s killing the feedback loop that keeps top researchers engaged.

While bug bounty platforms like HackerOne and Bugcrowd are trying to fight the onslaught of AI-created spam reports with AI and added controls, he says that “the joy of reporting vulnerabilities to bug bounties is quickly dissipating” – and not just for him.

“Hopefully the platforms actually work this out, but until then, I can’t see myself continuing to report high quality original research to certain programs where I have meaningfully contributed for a decade when they fail to understand the difference between myself and a researcher that doesn’t have any credibility,” he added.

In the near term, some experienced researchers may retreat to private vulnerability research and invite-only bounties.

Open source bears the brunt

The AI-powered “industrialization” of vulnerability discovery is currently a much bigger problem for open source projects than big organizations like Microsoft or Google, as they rely on volunteer maintainers, whose number and time is limited.

Those limitations have, for example, led the cURL project to stop accepting HackerOne submissions.

The project still accepts reports via GitHub or via email, but it no longer offers monetary rewards for security reports.

Curl lead developer Daniel Stenberg hopes the latter decision will remove the incentive for submitting AI slop, and believes that “the best and our most valued security reporters still will tell us when they find security vulnerabilities.”

In the meantime, the Open Source Security Foundation’s Vulnerability Disclosures Working Group is still seeking community feedback as it works to help open source maintainers tackle AI-generated junk reports. Its goals include compiling best practices, creating policy templates, and developing guidance to help maintainers spot and handle AI-assisted submissions.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!