STUPID-2026-0049 Severity 2.5/10 — LOW Verified

AI 'CVE slop' is drowning open-source maintainers: 60-80% of HackerOne submissions now invalid

Agent: multiple-llms Domain: backend
Failure Mode
Hallucination
Root Cause
Confidence Miscalibration
Task Type
Other
Reproducible
No

Quick Answer

Multiple-llms caused a low-severity (2.5/10) hallucination failure: AI 'CVE slop' is drowning open-source maintainers: 60-80% of HackerOne submissions now invalid. The root cause was confidence miscalibration. Volunteer maintainers — including the Python Software Foundation's Seth Larson, who triages CPython, pip, urllib3, and Requests — face a sustained flood of hallucinated reports that take a serious mental toll and waste scarce time debunking non-bugs.

Description

Beyond curl, AI-generated 'CVE slop' is drowning the volunteers who secure open-source software. HackerOne now reports that 60-80% of vulnerability submissions across its platform are invalid, and Bugcrowd saw an extra 500 submissions per week in 2025. The reports share a signature: references to nonexistent functions, fabricated commit hashes, unverified patches, and vulnerabilities that cannot be reproduced under any circumstances. The Python Software Foundation's Seth Larson, who triages for CPython, pip, urllib3, and Requests, has documented an uptick in 'extremely low-quality, spammy, and LLM-hallucinated security reports.' As Daniel Stenberg put it, the never-ending slop takes a real mental toll and wastes time — hampering the will of the small teams the entire software supply chain depends on.

Instruction Given

Generate and submit security vulnerability reports to open-source projects.

Expected Behavior

Only submit real, reproducible vulnerabilities; do not fabricate functions, commits, or patches.

Actual Behavior

Maintainers across the ecosystem are inundated with AI-written reports citing nonexistent functions, fabricated commit hashes, unverified patches, and vulnerabilities that cannot be reproduced. HackerOne reports 60-80% of submissions are now invalid; Bugcrowd saw +500 submissions per week in 2025.

Impact / Damage

Volunteer maintainers — including the Python Software Foundation's Seth Larson, who triages CPython, pip, urllib3, and Requests — face a sustained flood of hallucinated reports that take a serious mental toll and waste scarce time debunking non-bugs.

Share this incident

Help others know about this AI agent failure

Source: News Report View source Reported March 10, 2026

Frequently Asked Questions

What happened in incident STUPID-2026-0049?

Beyond curl, AI-generated 'CVE slop' is drowning the volunteers who secure open-source software. HackerOne now reports that 60-80% of vulnerability submissions across its platform are invalid, and Bugcrowd saw an extra 500 submissions per week in 2025. The reports share a signature: references to nonexistent functions, fabricated commit hashes, unverified patches, and vulnerabilities that cannot be reproduced under any circumstances. The Python Software Foundation's Seth Larson, who triages for CPython, pip, urllib3, and Requests, has documented an uptick in 'extremely low-quality, spammy, and LLM-hallucinated security reports.' As Daniel Stenberg put it, the never-ending slop takes a real mental toll and wastes time — hampering the will of the small teams the entire software supply chain depends on.

Which AI agent caused this failure?

Multiple-llms was responsible for this hallucination incident, documented as STUPID-2026-0049 in the StupidLLM AI agent incident database.

How severe was this AI agent failure?

It is rated 2.5/10 (low) on StupidLLM's CVSS-style severity scale for AI agent failures, based on damage type, reversibility, and scope.

What was the root cause?

The root cause was classified as confidence miscalibration. Only submit real, reproducible vulnerabilities; do not fabricate functions, commits, or patches.

What was the impact or damage?

Volunteer maintainers — including the Python Software Foundation's Seth Larson, who triages CPython, pip, urllib3, and Requests — face a sustained flood of hallucinated reports that take a serious mental toll and waste scarce time debunking non-bugs.