The case highlights a growing crisis of trust around AI-generated security research as false positives overwhelm the industry
The hallucination problem goes to court #
AI hallucinations, the tendency of large language models to generate plausible-sounding but entirely fictional information, have been a known issue since ChatGPT first captured public attention. Lawyers have been sanctioned for citing fake case law generated by AI. Students have been caught submitting papers with fabricated sources.
Security research carries real consequences. A false vulnerability report can tank a company’s stock, trigger expensive remediation efforts, or destroy a product’s reputation. When those findings turn out to be hallucinated by an AI model rather than discovered by human researchers, the damage doesn’t magically reverse itself.
An industry drowning in false positives #
cURL, one of the most widely used open-source tools in the world, shut down its HackerOne bug bounty program in January 2026. The reason was blunt: validity rates had cratered to below 5%. In English, that means fewer than 1 in 20 submitted vulnerability reports were actually real. The rest were AI-generated false positives, convincing enough to require human review but ultimately worthless.
AI vulnerability scanning tools have been documented producing false-positive rates as high as 80% in some assessments. Every false positive requires human analyst time to investigate and dismiss. Multiply that across thousands of reports and you’ve effectively created a system where AI generates busywork for the humans it was supposed to replace.
Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our