Generative AI models have alreadyprovenpowerful tools in the hands of cyber-criminals and fraudsters.
However, hucksters can also use them to spam open-source projects with useless bug reports.
These AI reports are insidious because they appear as potentially legitimate and worth checking out.
As Curl and other projects have alreadypointed out, they are just better-sounding crap but crap nonetheless.
Hallucinated reports waste volunteer maintainers' time and result in confusion, stress, and much frustration.
He had valuable advice for platforms, reporters, and maintainers currently dealing with an uptick in AI-hallucinated reports.
The community should employ CAPTCHA and other anti-spam services to prevent the automated creation of security reports.
Meanwhile, bug reporters should not use AI models to detect security vulnerabilities in open-source projects.
Large language models don’t understand anything about code.
Larson acknowledges that many vulnerability reporters act in good faith and usually provide high-quality reports.
However, an “increasing majority” of low-effort, low-quality reports ruin it for everyone involved in development.
