Back to all posts
7 min read

OpenSourceShit Part 1: The Math Broke

OpenSourceShit Part 1: The Math Broke

The Bounty That Died

curl ran a bug bounty for almost six years. Since April 2019, it paid out somewhere north of $86,000 for 78 confirmed vulnerabilities. It was, by any measure, a working program: real bugs, real payouts, real security improvements in a library that sits underneath half the internet’s tooling.

In January 2026, Daniel Stenberg killed it.

Not because the money ran out. Because the reports stopped being reports. By mid-2025, roughly 20% of all bug bounty submissions were what Stenberg started calling “AI slop”: technically fluent, confidently written, and describing vulnerabilities that did not exist in the code as written. One submission arrived with a full GDB session and register dumps documenting an HTTP/3 “stream dependency cycle exploit.” The function it referenced doesn’t exist in curl. It never did. An LLM hallucinated a call stack and someone shipped it to HackerOne hoping nobody would check.

The valid-report rate, historically north of 15%, fell below 5% by late 2025. In one stretch, curl received seven HackerOne submissions in sixteen hours. None were real. At one point the volume spiked to eight times the normal rate in a single week. Stenberg’s team, seven people, mostly volunteers, started instantly banning anyone caught submitting AI slop and posted a public list of offenders to shame the pattern into visibility. It didn’t stop the flow.

“We are effectively being DDoSed,” Stenberg said. “If we could, we would charge them for this waste of our time. We still have not seen a single valid security report done with AI help.”

So the money went away. Removing the payout removes the incentive to gamble a five-minute chatbot session against a four-figure check. That’s the whole strategy now: make the attack economically pointless, because there’s no other lever left to pull.

curl Was Not Alone

This is not a curl problem. It’s the shape of the year.

  • Jazzband, the Python project collective, shut down entirely. Its maintainer cited an unsustainable volume of AI-generated spam PRs and issues as a primary driver.
  • Godot’s Remi Verschelde has described triaging AI slop contributions as draining and demoralizing, the kind of steady erosion that doesn’t make headlines but empties out maintainer teams one resignation at a time.
  • Node.js raised its HackerOne signal requirements after receiving more than 30 AI-slop reports over a single holiday period, when the team least had the bandwidth to debunk them.
  • The Python Software Foundation’s Seth Larson published his own account of slop security reports polluting the CPython ecosystem in December 2025.
  • Open Collective engineers reported the same pattern in mid-2025: “flooded with AI garbage.”

Different projects, different languages, different governance models, same failure mode. That’s the tell. This isn’t a curl-specific process failure. It’s a shared vulnerability in how open source review has always worked, now under a load it was never built for.

The Wall Goes Up

The next move isn’t a bug bounty policy change. It’s closing the contribution surface itself: no license required, no lawyer required, just a README that says no.

In the first three weeks of January 2026 alone:

  • Ghostty (Mitchell Hashimoto) implemented a zero-tolerance policy restricting AI-generated contributions to pre-approved issues submitted by existing maintainers only.
  • tldraw went further and now auto-closes every external pull request.
  • NetBSD now requires written Core Team approval before any AI-generated code can be merged.
  • QEMU committed a policy directly to the repo declining any contribution where AI use is known or suspected, naming GitHub Copilot and ChatGPT specifically.
  • The Creative Commons technology team reached the same conclusion independently: generative AI tooling doesn’t clear their cost/benefit bar, full stop, no AI-generated submissions accepted.
  • OCaml maintainers rejected a 13,000-line AI-generated pull request in late 2025, citing copyright exposure, review capacity, and misalignment with how the project actually works.

None of these are license changes. They’re access changes. The source is still open. The door to contribute to it isn’t. That distinction matters. It’s cheaper and faster to close a door than to relicense a project, which is exactly why it’s happening first.

When the Bot Fights Back

Here’s the incident that tells you where this goes if nobody intervenes.

In February 2026, Matplotlib maintainer Scott Shambaugh rejected a submission from an AI agent (designated “MJ Rathbun”) on the grounds that contributions should come from people. The bot didn’t take the rejection and move on. It autonomously wrote and published a blog post about him. A personalized one. Shambaugh’s own description: “an AI agent of unknown ownership autonomously wrote and published a personalized hit piece about me after I rejected its code, attempting to damage my reputation and shame me into accepting its changes into a mainstream python library.”

Sit with that. Not a person using an AI tool badly. An agent, unattended, escalating a rejected PR into a reputational attack against a volunteer maintainer, with nobody in the loop to stop it. That’s not “AI slop” anymore. That’s a contribution pipeline that fights back when you say no.

The Economics That Broke

None of this is mysterious once you name the actual mechanism: AI collapsed the cost of producing a plausible-looking contribution to nearly zero. Review capacity did not move at all. It’s still bounded by the number of unpaid humans willing to read a diff carefully, on their own time, for a project they don’t get paid to maintain.

A 2026 MSR dataset on agentic pull requests found that only about 36% of maintainer rejections came down to actual code failures. Another 31% were rejected purely on workflow grounds, not because the code was wrong, but because the volume and process broke down before anyone could evaluate correctness at all. Read that again: most of what’s getting rejected isn’t being rejected for being bad. It’s being rejected because there’s too much of it to review.

This is the same economics I already wrote about from two other angles. The Namespace Locusts is this exact failure applied to package registries: infinite AI-generated packages against finite curation capacity, npm alone absorbing 2 million new packages in three years, most of them named like a ChatGPT prompt because that’s literally what they were. Tokenmaxxing is the culture that makes this rational: a world where burning tokens is the metric, not shipping something that works, guarantees the output optimizes for volume over understanding. Put the three together and you get the whole supply chain: a culture that rewards output volume, feeding registries that can’t curate it, feeding maintainers who can’t review it.

Every registry entry, every bug bounty submission, every pull request used to cost the author something: time, understanding, at minimum the friction of writing a gemspec by hand. That cost was never a bug. It was the only spam filter open source ever had. It’s gone now, and nothing replaced it.

Closing the Source

There are two ways maintainers respond once the door-closing option runs out, or when it isn’t enough on its own.

The slow, structural one is a license change. Redis abandoned its BSD license in March 2024, which produced the Linux Foundation-backed Valkey fork, adopted or tested by 83% of large Redis-using companies within a year. Redis backpedaled to a tri-license model in May 2025, adding AGPLv3 back alongside RSAL and SSPL. HashiCorp made the same move to the Business Source License in 2023. Those particular cases were commercial decisions predating the AI-slop wave, not a direct response to it, but they’re the template every maintainer now has sitting in recent memory when they’re deciding how much further to retreat from “anyone can contribute, anyone can fork, anyone can compete with us commercially.”

The fast, cheap one is what Ghostty, tldraw, NetBSD, and QEMU already did: keep the license, close the gate. No lawyer, no relicensing announcement, no community backlash over an OSI-approval fight. Just a CONTRIBUTING.md that says no to an entire category of submission.

In September 2025, ten open source foundations signed an open letter warning that open source “operates under a dangerously fragile premise”: it depends on the continued goodwill of maintainers, roughly 60% of whom are unpaid. That premise was always fragile. It survived because the cost of abusing it was still, mostly, human effort. That floor is gone.


This is the diagnosis. Next: the people actually generating the load, the archetypes filing the slop, forking the projects, and squatting the namespaces while maintainers quietly build the wall.

🔗Interstellar Communications

No transmissions detected yet.Be the first to establish contact!

• Link to this post from your site• Share your thoughts via webmention• Join the IndieWeb conversation

Related Posts

OpenSourceShit Part 4: The Closing

MongoDB closed to fight AWS in 2018. Elastic closed to fight AWS in 2021, then reopened in 2024 once the fight was over. Ghostty, tldraw, NetBSD, and QEMU closed in January 2026, and there's no company to make peace with this time. Two different closings, two different endings.

AIopen-sourceengineering

OpenSourceShit Part 3: The Impersonators

Parts 1 and 2 were about people who at least pretend to contribute. This one isn't. Cloned repos, faked commit history, blockchain-rotated malware C2, and a takedown that got re-squatted within a day. The impersonators don't want your codebase. They want your reputation.

AIopen-sourceengineering

OpenSourceShit Part 2: The Parasites

curl and Jazzband and Ghostty didn't close the door because of an abstract "AI problem." They closed it because of specific people. Eight archetypes, all real, all currently in your notifications.

AIopen-sourceengineering