AI-assisted security reports to curl are arriving at 4-5x the 2024 rate
Daniel Stenberg, the curl project lead, wrote that AI-assisted security reports are now arriving at four to five times the 2024 rate and roughly double the 2025 pace, averaging more than one submission a day. Simon Willison quoted the post and pulled out the part that is most worrying: the reports are no longer easy to dismiss. They are detailed, well written, and demand real engineering time to triage.
The volume is starting to take a personal toll. Stenberg notes his wife raised concern about his work hours and life balance for the first time over this. The work itself is unevenly rewarding. Despite the surge, the severity profile has stayed mild: most findings rate LOW or MEDIUM, and the last HIGH severity curl vulnerability was reported in October 2023. The engineering is solid enough that AI-assisted reports rarely surface anything catastrophic, but each one still gets a response, because curl is curl.
The picture is what happens when capable LLMs meet a piece of critical infrastructure maintained by a small, principled team. The bug bounty side of the security industry now has a near-free way to mass-produce credible reports, and the cost lands on volunteer maintainers who do not have the option of ignoring them.
Why it matters
If you fund or contribute to open source security, the headline number is not the vulnerability count, it is maintainer time. Sponsoring triage capacity for projects like curl will do more for open source security right now than any new scanning tool, because the bottleneck has moved from finding bugs to answering reports.