Despite billions and billions being spent on security, security remains bad. That applies to software in general and with WordPress plugins. Maybe more money needs to be spent, but it is more likely that the money is being spent on the wrong things. The latter issue applies when it comes to reviewing of the security of software and the handling of reporting security issues. But it keeps being ignored. The Register published a story this week by Thomas Claburn about “AI slop” vulnerability reports that involved AI generated claims of vulnerabilities that are not true. What the story didn’t address is why those are occurring. Here is one example included in the story:

As if to underscore the persistence of these concerns, a Curl project bug report posted on December 8 shows that nearly a year after maintainer Daniel Stenberg raised the issue, he’s still confronted by “AI slop” – and wasting his time arguing with a bug submitter who may be partially or entirely automated. [Read more]