Open-source developers are working themselves sick on AI bugs

Open-source developers are facing health risks due to a surge in AI-generated security bug reports, with curl lead developer Daniel Stenberg reporting a fivefold increase in daily reports that leaves little time for other project work. Stenberg and his team are experiencing burnout and health concerns as they struggle to process the influx of detailed AI-assisted vulnerability submissions. The crisis highlights a growing imbalance where companies generating billions from open-source software contribute minimal financial support, with curl's thirty billion installations backed by only twenty-three sponsors.

Comment: Open-source developers are working themselves sick on AI bugs Work intensification leads to overload for developers. Companies make billions thanks to open source and give little back, argues Christopher Kunz. Some opinionated personalities have always served as a barometer for the mood in open-source projects. These include Linus Torvalds and Daniel Stenberg, founder and still lead developer at curl. They regularly voice their opinions on zeitgeist topics. In the wake of the “Vulnocalypse” of AI-powered security vulnerabilities, he now states: Contributing to open-source projects is becoming a health risk. This cannot continue, as the lack of participation endangers the open-source ethos. Stenberg's views on AI-assisted debugging are nuanced and precisely map the evolution of LLMs: After complaints about “AI Slop” and the brief discontinuation of the curl bug bounty program, the project is currently in a phase of “high-quality chaos.” Incoming bug reports are not obviously nonsense but detailed and very thorough. The developer spends his days reviewing AI-generated security reports. He has to read, understand, and, if necessary, initiate further steps for each – on average one per day and thus five times as many as in 2024 –. This leaves little time for the project's other further development and takes a toll on Stenberg's health. His wife, as the Swede blogs https://daniel.haxx.se/blog/2026/05/26/the-pressure/ , has expressed her concerns about his long working hours and the imbalance between work and leisure for the first time. Other members of the curl team are experiencing similar issues, and, says Stenberg, “I am concerned for my team mates.” The pressure is higher than ever: “An avalanche of high priority work that trumps everything else” is rushing down on the developers. Stenberg, who, like Linus Torvalds, describes himself as a “Benevolent Dictator for Life,” sketched out https://daniel.haxx.se/blog/2024/05/27/my-bdfl-guiding-principles/ his principles for working on curl back in 2024: “Ship rock-solid products for the universe to depend upon,” it says there. And: “maintain a security first focus.” Stenberg wants to be measured by these and eight other principles – and they are now literally making him and his team sick. Because their conscience and pride in their work on curl forces them to process the reports instead of simply ignoring them. Videos by heise Where are the billions from the billions of beneficiaries? Stenberg, on the other hand, feels largely ignored by the companies that use curl or libcurl in their products. The number of these is almost incomprehensible: the team estimates curl's install base at thirty billion active installations. From firewalls to robot vacuum cleaners to video game consoles, the transfer library works away in most households worldwide. This is record-breaking – and how many sponsors does this record project have? Twenty-three https://curl.se/sponsors.html . Are tech giants worth trillions like Google, Meta, Apple, Microsoft among them? No luck. Instead, Elastic, a company worth five billion, is a gold sponsor and transfers between $500 and $1,000 per month to the project. AirBNB market value $78 billion transfers between $100 and $500 per month, the same amount paid by a British cleaning company. Also, no sign of AI companies like OpenAI and Anthropic, and even their generous offer to unleash the security model Mythos on curl was apparently only indirectly put into practice by the company /news/Mythos-findet-nur-eine-Sicherheitsluecke-in-curl-11291666.html?from-en=1 . Meanwhile, “Vibe Coding” is removing the material basis from many open-source projects, as scientists have found out /news/Vibe-Coding-gefaehrdet-die-materielle-Basis-fuer-Open-Source-Projekte-11167506.html?from-en=1 . On OpenCollective, the curl project has a good 950 backers with one-time or monthly donations, and another 250 on GitHub. The GitHub donors are predominantly private individuals, and anyone who frequents the open-source bubble in the Fediverse will recognize many avatars. So here, many volunteers are donating to other volunteers – large companies continue to shine by their absence. However, the sponsor page is not a complete picture of reality, as Daniel Stenberg explained to me: „I work full time on curl employed by wolfSSL and I do that because we have customers that pay for curl support and other curl related activities, and I think it could be fair to say that those customers are then by extension actually also sponsoring the curl project.“ So, corporations like Microsoft could also use this indirect sponsoring opportunity – wolfSSL's customer list is not public. Still, that's not enough, Stenberg notes on his blog: “I wish more companies .. would chime in their part to fund us.” However, he does not believe in a change of mind, even though the situation has continued to escalate. The team could only “swim” through the “tsunami,” as Stenberg calls the flood of bug reports, with no lifeboats in sight. He is almost envious of projects that have “made the world burn for a while” due to serious security errors, because these subsequently received attention and, in some cases, financial support. Perhaps he means Heartbleed /thema/Heartbleed ? The catastrophic security vulnerability in OpenSSL in 2014 shone a spotlight on the project's financial and personnel situation and led to noticeable improvements. But what would be the impact of a similar error in curl, possibly exploitable over the internet? Thirty billion potentially vulnerable devices are indeed a lot; in my household alone, curl is likely present about fifty times. Developer Hugs as the New Balcony Applause? Daniel Stenberg is by no means alone in his complaint about a lack of support. At the recently concluded RIPE92 conference, the developers behind three of the most widely used open-source DNS servers – Bind, Unbound, and PowerDNS – called for: “ Hug your OSS maintainer https://indico.dns-oarc.net/event/56/contributions/1233/ – or support them with a support contract.” Is the virtual hug now absolution, the “balcony applause” for overstretched software developers? That's not enough; otherwise, open source, and thus the technical foundation of our digital society, cannot survive. The current escalation renews the focus on a problem that has existed for decades: companies use open source as the basis for their own business success. Some, like Bambu Labs, even openly disregard /news/Bambu-Lab-vs-Community-Streit-um-offene-3D-Drucker-eskaliert-erneut-11304925.html?from-en=1 the customs and rules of the open ecosystem when it serves their own business model. And AI companies, whose LLMs flood projects with error messages, have shown often enough that they are primarily self-serving. Of course, there is no obligation to donate; after all, “free distribution” is one of the characteristics of open-source software https://opensource.org/osd OSS . But I believe companies also have a duty to provide support – whether financially or ideologically through developer hours. So, it is high time for all beneficiaries of open source to participate. Because, like any other volunteer work, this also lives from participation. And survives only through it. Changed some quotes to reflect the originals, changed some ambiguous and incorrect wording. cku mailto:cku@heise.de