Comment by Natsu
15 hours ago
I worry that this will make the bad guys focus on finding zero days during the month they have free to exploit anything they find, but I don't doubt that they need a break.
15 hours ago
I worry that this will make the bad guys focus on finding zero days during the month they have free to exploit anything they find, but I don't doubt that they need a break.
Mythos found only one. Would have to be pretty serious bad guys.
https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-v...
Remember though that many other AIs had already run and found issues that were fixed. If you had a time machine and took Mythos back a year it probably would have found a lot more. (if anyone has access to mythos it wouldn't be hard to test - download a release from last year and check)
Imagine the bugs you'd find in curl from five years ago! I bet there are tons!
The bad guys wouldn't have submitted a vuln report anyway.
Actually, submitting hundreds of bogus/low impact AI generated ones while you sit on something big might be a viable strategy to delay a project from fixing a hole you're using
Pretty sure if you find a zero day in a software like that you don’t wait until a certain month.
if a company has a problem with this pay for support if its not worth the money …
Cool, then it's down to everyone using this library to figure out how they can minimize the impact of a zeroday in curl - security should never be down to a single part of a system.
Is this likely though? If you are an AI slop model that spams out finding bugs and vulnerabilities, would you want to become more active when you see that a project is not actively fixing bugs? Because in my opinion, it really would not matter for any AI model how active a project is, when it comes to FINDING existing loopholes.
In other words, I would always go at full speed (as an evil AI slop model) and most likely never release any findings of flaws and loopholes, so they can be exploited lateron. Bad folks don't want to be caught; remember the xz utils backdoor.
I am sure some AI slop models are used by criminals. And they may exploit things at a later time, but they most likely have found issues already. Not every AI slop model would report.
The notion of "the bad guys will now be more active" is strange really in the AI slop age. (We had the stone age; now we have the slop age)