It's handy if you run a service and the internet runs clients you didn't write to access said service. (or vice versa)
Also handy if the internet is running a DDoS reflector and you're being targetted.
Otherwise, usually no sense of urgency for fixes I did for me/my employer and want the rest of the world to benefit. My problem is solved now, everyone else can get it when it ships.
You don’t need to backport other people’s fixes. You only need to re-merge your patches into updated versions of the upstream (aka vendor branch), which usually is straightforward.
Maybe you mean that if there are many people like you, they’d want to integrate each other’s fixes. But then you’d probably have the combined manpower to start maintaining a true fork.
Yes - and realistically, if you're $BIGCO who's shipped a billion devices with some obscure curl vulnerability you just discovered, then the hard part is going to be rolling out a patch to all of them anyway, which is still a 'you' problem.
In 2026 there is a considerably cheaper/quicker solution, but that in no way invalidates OSS maintainers' right to enjoy a summer vacation without interruption.
I worry that this will make the bad guys focus on finding zero days during the month they have free to exploit anything they find, but I don't doubt that they need a break.
Remember though that many other AIs had already run and found issues that were fixed. If you had a time machine and took Mythos back a year it probably would have found a lot more. (if anyone has access to mythos it wouldn't be hard to test - download a release from last year and check)
Actually, submitting hundreds of bogus/low impact AI generated ones while you sit on something big might be a viable strategy to delay a project from fixing a hole you're using
Cool, then it's down to everyone using this library to figure out how they can minimize the impact of a zeroday in curl - security should never be down to a single part of a system.
Is this likely though? If you are an AI slop model that
spams out finding bugs and vulnerabilities, would you
want to become more active when you see that a project
is not actively fixing bugs? Because in my opinion, it
really would not matter for any AI model how active a
project is, when it comes to FINDING existing loopholes.
In other words, I would always go at full speed (as an
evil AI slop model) and most likely never release any
findings of flaws and loopholes, so they can be exploited lateron. Bad folks don't want to be caught; remember the xz utils backdoor.
I am sure some AI slop models are used by criminals.
And they may exploit things at a later time, but they
most likely have found issues already. Not every AI
slop model would report.
The notion of "the bad guys will now be more active" is
strange really in the AI slop age. (We had the stone
age; now we have the slop age)
> Probably not. But we will.
A pleasant dose of humanity in decidedly inhuman times.