There’s a bounty on reported vulnerabilities (meaning money is paid out) and you could get a lot of fame, if you’re the security researcher who found something in Curl. When it takes basically zero effort to generate a report and there’s a theoretical non-zero chance for the AI to generate a valid report (or at least some people are convinced of that), then you’ll have people hoping to make a quick buck.
Why bother submitting vulnerability reports just because some AI claims one with no POC?
There’s a bounty on reported vulnerabilities (meaning money is paid out) and you could get a lot of fame, if you’re the security researcher who found something in Curl. When it takes basically zero effort to generate a report and there’s a theoretical non-zero chance for the AI to generate a valid report (or at least some people are convinced of that), then you’ll have people hoping to make a quick buck.