On Mon, Oct 27, 2025 at 1:30 PM Jeremy Stanley <[email protected]> wrote: > > On 2025-10-27 09:34:03 -0700 (-0700), Alan Coopersmith wrote: > [...] > >> The vendor was contacted early about this disclosure but did not > >> respond in any way. > [...] > > With the flood of dubious reports being submitted by anyone who can > thumb some words into an LLM prompt and not bother to check the > results for hallucinated nonsense, I've taken to ignoring or > summarily closing such submissions to projects I work on as not > worth my time to respond. This is probably yet another sign that the > CVE system needs an overhaul or it's going to get ignored when it > becomes as overwhelmed with "AI noise" as everything else (not > saying these reports were necessarily machine-generated, but it's > reaching the point where open source projects with limited resources > have no choice but to silently bin such nonsense to /dev/null).
cURL is fed up with the LLM nonsense, too. cURL requires the source of a vulnerability report be stated because the project was being overrun with false positives and low quality bug reports from AI generated slop. See "AI guidelines" (May 2025), <https://curl.se/mail/lib-2025-05/0013.html> and <https://github.com/curl/curl/pull/17325>. And the IETF is also concerned about submissions curated from LLMs. See "BCP 78 policy / copyright / Generative AI / LLM .. is there a FAQ?" (August 2025), <https://mailarchive.ietf.org/arch/msg/ietf/ZAwDLUWAQ-iU2u6vVpw5IeW7g-E/>. Jeff
