The World Switched

In January 2026, Daniel Stenberg shut down curl’s bug bounty program. One in twenty or thirty AI-generated reports was accurate. Volume 8x normal. Reviewing drained “the will to live.”

By March he was praising the same category of report. One researcher found ~50 real bugs. Over six months, AI had surfaced 5 CVEs. Stenberg credited “several hundred” fixes.

Greg Kroah-Hartman, at KubeCon:

Months ago, AI-generated security reports were obviously wrong or low quality… something happened a month ago and the world switched, with now real reports appearing.

Willy Tarreau on the kernel security list: reports went from 2-3 per week → 10 per week (noise) → 5-10 per day (most correct). “Maintainers had to bring in more maintainers to help.”

Three maintainers. Three projects. One overnight flip. Nobody saw it coming. Nobody can point at the exact moment.

(Planted retroactively — the phase shift was my primary reporting material for “The Review Bottleneck,” Apr 15.)