AI-generated bug reports are usually trash. But when a security researcher used LLM-based scanners the right way, he found 50 real bugs in libcURL. Swedish tech journalist talks to Swedish cURL maintainer Daniel Stenberg and to Joshua Rogers, an australian hacker / security researcher that used AI SAST tools to find 50 real cURL bugs – and counting.

With the help of generative AI–based tools, a developer named Joshua Rogers has identified no fewer than 50 flaws in one of the world’s most widely used open-source projects, cURL.

The Swedish maintainer of cURL — who recently vented his frustration over worthless AI-generated bug reports — is, this time, astonished by AI’s capability.

Something big just happened in the cybersecurity world. Generative AI has now proven that it can independently discover new vulnerabilities in high-quality source code. New generative AI tools are suddenly digging up bugs that traditional static analysis tools have been overlooking for years.

Daniel
Stenberg

”I’m actually overwhelmed by the quality of some of these findings”, says Daniel Stenberg, maintainer of the file-transfer library cURL, in an interview with Swedish industrial electronics news publisher Elektroniktidningen (“Electronics Magazine”, etn.se).

In a well-known talk this August, Daniel Stenberg warned that he and his team were being flooded with AI-generated bug reports — wrong, confused, hallucinatory garbage created by generative AI.

Such “AI slop” has begun to waste valuable time for open-source maintainers, not only in cURL. The community is struggling with how to stem the tide.

Still, banning AI wasn’t the solution, Stenberg argued back then. He believed that AI might yet prove useful.

And he turned out to be right. In September, a batch of cURL bug reports arrived that has so far led to 50 fixes in the cURL library source code.

It marks a clean break from the previous wave of junk reports. There may have been the odd valid AI-based bug report before, but this time, Stenberg’s team implemented fifty fixes, all stemming from AI-generated reports. Once again the team is knee-deep in AI bug reports — but this time, they’re not slop. These are bugs that cURL’s regular analysis tools have been completely been overlooking.

“This is new,” says Daniel Stenberg. “It really looks like these new tools are finding problems that none of the old, established tools detect.”

“We regularly run clang-tidy, scan-build, CodeSonar and Coverity on the code, and whenever they find something, we fix it. So when all those tools report zero issues and someone suddenly finds hundreds, that’s pretty spectacular,” he adds — with some understatement.

All the bug reports came from one single developer: Joshua Rogers, an Australian with 15 years in cybersecurity, including at Opera Software in Poland. Today he works in security for a cryptocurrency company.

Over the past few months, he has been evaluating new AI-based tools and has started submitting bug reports to several open-source projects — including cURL, sudo, libwebm, Next.js, avahi, wpa_supplicant and squid.

None of the 50 bugs found in cURL were critical, but Rogers has discovered critical vulnerabilities elsewhere, including in source code from his former employer Opera Software. That bug was patched in early September.

Initially, Rogers hesitated to report bugs to cURL — familiar with Stenberg’s public stance on “AI slop”.

Joshua
Rogers

“Even though I could literally see the bugs in the code, I thought there was a 0.001% chance I was wrong — and I’d end up in the hall of shame,” Rogers says with a smile.

But he eventually gathered his courage and started sending reports.

After a while, Stenberg reached out curiously and asked where the reports were coming from.

”After I explained it to him, he asked me to send him the un-reviewed list of problems, and he’d triage them himself.”

“Triage” is a medical term — sorting patients by urgency. In software, it means prioritizing bug reports by severity.

Rogers says he’s received similarly astonished reactions from other open-source maintainers.

On his blog, he has shared insights into how he performs vulnerability analysis using LLM based SAST tools (Static Application Security Testing). His main message: these tools exist, and they’ve become incredibly good.

He also did a presentation on this Work at Kazhackstan 2025.

So how did generative-AI vulnerability analysis suddenly leap forward?

One breakthrough came last year, when Google’s security team discovered a previously unknown critical vulnerability in SQLite, using their AI-based tool called Big Sleep — a milestone event.

Since then, commercial tools are appearing. The one Rogers currently rates highest is ZeroPath.

Another key factor, though, is Rogers himself. He uses the tools analyze the code from multiple angles and then carefully reviews the results — both manually and with the help of other AI models.

“A good tool in the hands of a competent person is a powerful combination,” says Daniel Stenberg.

What seems to make generative AI–based tools strong is their ability to understand both natural languages and programming languages. They read comments, they know the protocols, and they can spot when intent, logic and implementation don’t align.

Traditional static-analysis tools, by contrast, take a narrow syntactic view — scanning for known classes of errors.

Generative AI is now able to uncover entirely new classes of bugs — and since they didn’t use to be detectable, dozens have accumulated over the years, in old project code. One of Rogers’ reports concerned Kerberos code so old that nobody was even using it anymore.

The bug had an accompanying bug that was severe enough that it would have crashed the code if executed — which, evidently, never happened. So Stenberg’s “fix” was simply to retire the code altogether from support.