AI-generated security reports have shifted from spam to credible flood for OSS maintainers¶
Insight: Maintainers of HAProxy, cURL, and the Linux kernel report that AI-generated vulnerability reports have crossed from low-quality spam into credible, defensible findings — and the volume has surged from 2-3 per week two years ago to 5-10 per day in early April 2026. The bottleneck has flipped from filtering noise to absorbing legitimate work, with duplicate reports from different AI tools analyzing the same code now common.
Detail: Tarreau, Stenberg, and Kroah-Hartman are independent maintainers of unrelated infrastructure projects describing the same shift within days of each other. Kroah-Hartman pinpoints roughly one month prior to April 2026 as the inflection point where AI reports became reliably useful. The unanimous practitioner triangulation justifies a high confidence rating.