Stanislav Fort

End quote.

This is a really clear example of a very common bifurcation of the top of a distribution from its median.

Mass adoption collapsed the median quality, slopped killed the bug bounty equals a very viral story for people who assume that AI is bad at things a priori, but simultaneously raised the ceiling, we found many real vulnerabilities that the curl team valued enough to patch, assign CVEs to, and pay bounties for.

Heading.

The era of AI cybersecurity is here for good.

The evidence is in my view no longer anecdotal.

Across two of the most critical, well-audited, and security-conscious code bases on the planet, we see a very clear signal.

OpenSSL

15 CVEs discovered by IELTS AI system across late 2025 and early 2026, 13 of 14 total CVE or 2025's asterisk plus 2 CVE or 2026 asterisk.

12 out of 12 CVEs in a single, most recent release.

4.

Additional vulnerabilities caught before they shipped.

Patches contributed and accepted into official releases.

Curl.

Five CVEs discovered and patched using IELTS AI.

Three of six CVEs in the CURL 8.18.0 release.

Several hundred bugs fixed per the maintainer BIOS and other AI-based tools.

These are external validations from projects with every incentive to be skeptical.

OpenSSL and CURL maintainers don't hand out CVEs as participation trophies.

They have conservative security postures, limited time, and e, especially in Curl's case, deep frustration with low-quality AI submissions.