open-source
ai-slop
curl
software-maintenance
developer-culture
security

The Tool on 20 Billion Devices Just Closed Its Inbox for the Summer

The most important tool you have never heard of shut its bug-report door for a month. Here is why that should bother you a little.

curl runs on an estimated 20 billion devices, maintained by a handful of volunteers. A flood of AI-written bug reports just closed their inbox.

Picture the most important piece of software you have never heard of. It is called curl. It is small, it is free, and it does one thing: it moves data from one place to another. When your car pulls down a map update, when your TV checks for a new episode, when your phone quietly syncs a photo at 3am, there is a very good chance a little program called curl is the thing doing the fetching. It has been doing this for decades. It is now installed on an estimated 20 billion devices, which is more devices than there are people, more than twice over.

In July 2026, the people who keep curl running did something that sounds, on its face, insane. They closed the door on security bug reports for a month. From July 1 to August 3, if you found a genuine flaw in one of the most widely used tools on the planet, you were asked to please hold that thought (as of July 2026, per Cybernews).

They did not do it because they stopped caring. They did it because they were drowning. And the thing they were drowning in was written by machines.

What curl is, in one honest sentence

curl is plumbing. Not the glamorous kind you see, the kind behind the wall that you only think about when it fails. It quietly carries data between things all day, for free, and almost nobody who benefits from it knows its name. That is the setup you need to hold onto, because the story is not really about a tool. It is about the very small number of humans standing behind the wall.

What actually happened

Daniel Stenberg leads curl, and he has a name for the problem. In July 2025 he wrote a post titled "death by a thousand slops" (daniel.haxx.se, Jul 14 2025). "Slop" is the going term for AI-generated output that looks right and is not. A slop bug report is a security warning that reads like the real thing, formatted correctly, confident in tone, and completely made up.

Here is why that is not a minor annoyance. When someone reports a security bug in curl, a human has to take it seriously. They have to read it, understand it, try to reproduce it, and decide whether the world is now slightly on fire. That is real work, and it costs the same hour whether the report is genuine or invented. A machine can generate a hundred convincing fakes before that human finishes their coffee.

So the volunteers were doing the digital equivalent of answering a fire alarm that goes off every ten minutes, where nine out of ten alarms are a prank, and the tenth might be a real fire. In January 2026, they ended the paid bug bounty that had been drawing much of the flood (bounty ended Jan 31 2026). By July, they closed the inbox entirely for a month, a break Stenberg himself called the summer of bliss. Bliss here being mostly the sound of your notifications finally going quiet.

The twist nobody puts on a slide

Here is the part that makes this more interesting than "AI makes garbage." By March 2026, something shifted. The wild hallucinations mostly stopped. The reports started arriving well-formed and plausible, the kind that read like a competent human wrote them. The share that turned out to be real, valid bugs climbed back to curl's historical normal of roughly 15 percent, up from under 5 percent during the worst of the flood (byteiota, 2026).

The volume did not drop. It roughly doubled.

So the problem mutated, and it mutated into something worse. Obvious garbage is easy to throw out; you can smell it in a line or two. A well-formed, plausible report has to be read in full, taken seriously, and checked, even though around 85 percent of them still lead nowhere. A core team of about seven people, most of them unpaid, now has to give real attention to twice as many reports, most of which are still wrong. And that is the quiet lesson buried in all of this: machine accuracy was never the bottleneck. Human attention was.

This is the bit the optimistic version skips. The cheerful story is "AI will help maintainers find more bugs." Sometimes it genuinely does. But finding a bug was never the expensive part. Someone still has to read it, believe it, reproduce it, fix it, and ship the fix, and that someone is a person with a day job and a finite number of evenings. You can automate the finding. You cannot automate the caring, or the reviewing, or the being-responsible-when-it-breaks.

Machine accuracy was never the bottleneck. You can automate finding a bug. You cannot automate the reading, the believing, the reproducing, and the being responsible when it breaks. Human attention is the scarce resource, and it does not scale with the cost of generation.

Why this should bother you a little

Zoom out from curl for a second. The uncomfortable thing curl just made visible is that a startling amount of the internet runs on software maintained by a handful of unpaid people. The popsicle-sticks-holding-up-a-bridge image gets used a lot, and it is used a lot because it is accurate. When you send a message, board a plane, or tap your card for coffee, some link in that chain almost certainly depends on a project maintained by two or three people and a large reserve of goodwill.

That was already true last year. What changed is the economics. AI made it effectively free to produce a convincing bug report, a convincing pull request, a convincing anything. And "cheap to produce, expensive to evaluate" is the exact recipe for burying any system that runs on human review. It is not malice. Most of the people sending slop think they are helping. That is almost worse.

The way Stenberg frames it is the part to remember: the slop flood is effectively a denial-of-service attack on open source. curl can take the hit, because curl has funding, a reputation, and people paying attention. The smaller projects, the ones held up by a single exhausted person, do not stand a chance. It will not stop at curl, because the incentive is everywhere. Anywhere a human has to read what a machine can now generate for free, the same math applies.

The human part

curl is not dying. The inbox reopens August 3. The tool is fine, the fix will hold, the plumbing keeps carrying your data. The point is quieter than a crisis, and it should outlast this particular summer: we built a civilization on the free labor of people we mostly cannot name, and then we handed everyone on earth a machine that can flood those people's inboxes at no cost. A month with the door shut is a coping mechanism, not a solution.

So here is the small, un-doom-laden thing to do with all this. Think of one free, open tool you lean on. Something you have never paid for and never thought about. Go find out who actually maintains it, and whether they are okay. That is not a technical question. It is a human one, and right now it might be the most useful question in the whole industry.

Every bridge has its popsicle sticks. The least you can do is learn the names of the ones holding up yours.

Sources

More Where This Came From

Plain-language takes on the tech that runs quietly behind the wall. No jargon tax, no vendor agenda, and a healthy suspicion of anything a machine generated for free.