The pressure

Simon Willison · Simon Willison · 2026-05-26

curl project lead Daniel Stenberg reports that AI-assisted security reports are arriving at 4-5x the 2024 rate, creating unsustainable maintainer workload even as all recent vulnerabilities remain low-to-medium severity.

Open original ↗

Appears in

AI as Attack Tool and Attack Target: May 2026 Cybersecurity Moment

Extraction

Topics: open-source-securityai-security-researchvulnerability-disclosurecurl

Claims

AI-assisted security reports to the curl project now arrive at 4-5x the 2024 rate and 2x the 2025 rate, averaging more than one report per day.
The quality and detail of AI-generated security reports is higher than historical human-authored reports.
Despite the volume increase, all curl vulnerabilities in recent years have been rated LOW or MEDIUM severity, with the last HIGH severity CVE in October 2023.
The surge in reports is creating significant personal and professional burnout for curl maintainers, affecting work-life balance.

Key quotes

The rate of incoming security reports is 4-5 times higher than it was in 2024 and double the speed of 2025 -- meaning that on average we now get more than one report per day.

For the first time in my life, my wife voiced concerns about my work hours and my imbalanced work/life situation.

This is a never-before seen or experienced pressure on the curl project and its security team members. An avalanche of high priority work that trumps all other things in the project.