Stop using AI to submit bug reports, says Google

Google will no longer accept AI-generated submissions to a program it funded to find bugs in open-source software. However, it is contributing to a separate program that uses AI to strengthen security in open-source code.

The Google Open Source Software Vulnerability Reward Program team is increasingly concerned about the low quality of some AI-generated bug submissions, with many including hallucinations about how a vulnerability can be triggered or reporting bugs with little security impact.

“To ensure our triage teams can focus on the most critical threats, we will now require higher-quality proof (like OSS-Fuzz reproduction or a merged patch) for certain tiers to filter out low-quality reports and allow us to focus on real-world impact,” Google wrote in a blog post.

The Linux Foundation too is finding the volume of AI-generated bug submissions overwhelming and has sought financial help from AI companies including Google, Anthropic, AWS, Microsoft, and OpenAI to deal with the problem. Together, they are contributing $12.5 million to the foundation to improve the security of open-source software.

“Grant funding alone is not going to help solve the problem that AI tools are causing today on open-source security teams,” said Greg Kroah-Hartman of the Linux kernel project in a blog post. “OpenSSF has the active resources needed to support numerous projects that will help these overworked maintainers with the triage and processing of the increased AI-generated security reports they are currently receiving.”

The funding will be managed by open source security project Alpha-Omega and the Open Source Security Foundation (OSSF) and will be used to provide AI tools to help maintainers deal with the volume of AI-generated submissions.

“We are excited to bring maintainer-centric AI security assistance to the hundreds of thousands of projects that power our world,” said Alpha-Omega co-founder Michael Winser.