Stanislav Fort

Missing parameter passed to the return callback would crash applications using legacy BIO callbacks with the new MMSG functions.

Private key file permissions not set in OpenCL REC PR number 29397.

The.

There's a code block here in the text.

Command was not always setting proper permissions on private key output files.

This is the outcome we're eventually working towards equals vulnerabilities prevented proactively, not only patched after deployment retroactively.

The concentration of findings from a single research team, spanning this breadth of subsystems and vulnerability types, is historically unusual for OpenSSL and is in my view in large part due to our heavy use of AI.

OpenSSL is not the only critical infrastructure project we've been testing our system against.

Curl, the super ubiquitous data transfer tool, tells a very similar story.

In July 2025, Daniel Stenberg, Curl's creator and main maintainer, wrote The Death by a Thousand Slops, a frustrated account of AI-generated garbage flooding the Curlbug bounty program.

According to him, about 20% of submissions were AI slop, and only 5% of all 2025 submissions turned out to be genuine vulnerabilities.

The costs incurred on the small security team were long-term unsustainable.

Just yesterday, January 26, 2026, Stenberg announced the end of the Curlbug bounty.

The program that had run since 2019 and paid out over $90,000 for 81 genuine vulnerabilities was essentially killed by the flood of low-quality AI submissions.

While the story above was unfolding, we at ILE, operating as a giant anteater on Hakuwan and later in personal correspondence with Daniel, reported findings that turned into five genuine CVEs in Curl.

CVE 2025-10966

Hacker 1 number 3355218.

CVE 2025-11563.

Double path traversal with percent encoded slashes.

CVE 2025-13034.