The curl Maintainer Hated AI Bug Reports. Then Mythos Showed Up.

Daniel Stenberg, the maintainer of curl, has been the most visible victim of the AI bug-report flood. For over a year, he’s torched the trend on his blog, on Mastodon, anywhere with a text box. So when Stenberg of all people says an AI security tool delivered the real thing, that’s news. The tool is Mythos, and the bug it found was sitting in curl.

The man at the center of the slop war

Stenberg has been hammering one message since 2024: roughly 99% of AI-generated security reports are garbage. He’s called the situation “drowning in AI slop” — a phrase that’s since become shorthand across the open-source security world.

The underlying problem is asymmetry. An LLM can produce a confident, plausible-sounding “vulnerability report” in 30 seconds. A maintainer needs hours to verify it. The attacker side is automated. The defender side is a human with a day job.

curl’s HackerOne program is one of the most active in open source, and it was buckling. Stenberg eventually made the call: undisclosed AI use is now grounds for an instant report closure. That’s a maintainer triaging by exhaustion, not policy preference.

What Mythos did differently

So when Stenberg actually praised Mythos, that’s not a casual data point. Mythos is an AI security tool that hunts vulnerabilities in open-source codebases — but the thing that separated it from the noise was that it submitted a working proof of concept alongside the finding.

The codebase matters too. curl has been audited, fuzzed, and stared at by professional researchers for over two decades. It ships on billions of devices — cars, satellites, game consoles, virtually every Linux server. Finding a fresh, real bug there is not a junior-tier accomplishment.

The line between slop and signal

What’s the actual difference between the slop pile and Mythos? One word: verifiability.

Most AI security tools to date have been thin wrappers around an LLM. You hand it a file, ask it to find bugs, and it pattern-matches: “I see a strcpy here, possible buffer overflow.” Confident output, zero evidence the code path is even reachable from user input.

Mythos reportedly stacks static analysis, dynamic execution, and LLM reasoning into one pipeline. The LLM proposes candidates; the system then tries to actually exploit them. By the time a report lands in a maintainer’s inbox, there’s a payload attached that demonstrably triggers the bug. The maintainer’s job shrinks from “investigate from scratch” to “confirm and patch.”

What this signals to the industry

It’s tempting to dismiss this as one endorsement from one developer. But consider who that developer is. Stenberg is, by a wide margin, the loudest skeptic of AI-assisted security tooling, and the person most personally damaged by the slop wave. Him saying “this one is real” is the kind of credibility signal no marketing budget can buy.

The last 18 months have seen a stampede of “AI security” startups, most of which were closer to a ChatGPT prompt than a product. VCs were starting to notice. Mythos lands in that environment as a counterexample — proof that AI security tooling built with engineering rigor, not just an API key, can produce findings that hold up in front of one of the harshest reviewers in open source.

The maintainer question

Worth noting: this isn’t an “AI replaces humans” story. Stenberg welcomed Mythos precisely because it reduces maintainer load. Reports with reproducible PoCs are fast to triage and trivially distinguishable from hallucinated nonsense.

Maintainer burnout is an existential threat to the security of the modern internet. Log4Shell made the lesson concrete: one exhausted volunteer becomes everyone’s problem. Good AI tooling has to flow toward giving maintainers their time back, not generating more inbox they have to sort. Mythos seems to grasp that, and that’s probably why Stenberg let his guard down.

The new test for any AI security product isn’t a demo or a leaderboard score — it’s how actual maintainers react when reports arrive in their queue. Did the tool save their time, or steal it? The curl/Mythos case is the first clear data point on the right side of that line. If you’ve received an AI-generated bug report lately, was it the real thing, or was it slop?