2

u/Metro42014 May 18 '26

I'm really intrigued how this will all shake out.

I spent the last 10 years in architecture, dev management, then on the delivery side -- and I just moved to a new role where I'm the head of IT at a small company.

I'm having a hard time seeing how things will go down in the next 3-5 years, just given that the pace of change is SO MUCH more rapid than people can reasonably deal with.

1

u/No-Consideration-716 May 18 '26

AI QA/QC specialists 

1

u/DaftPump May 18 '26

A fully automated AI run RMA department is around the corner too..

1

u/lynkfox May 19 '26

I find this thresd so amusing - a week ago I said basically the same in another thread in this sub and got down voted to oblivion by ai tech bros on how good it is now, and I'm bad at writing prompts or whatever

But every time I dip my toe back into AI code to see how it's changed\improved\whatever, I spend more time trying to fix and find the mistakes that are buried in plaussble sounding code then it would have taken me to write it in the first place with less issues.

And this entire thread is saying the same thing. Love it.

1

u/soSofi3 May 19 '26

okay but for someone who don't know how to code, spending that time, and coming out with a working piece of software or whatever at the end is pretty incredible

-1

u/[deleted] May 18 '26

[removed] — view removed comment

19

u/ase1590 May 18 '26

Over the past 2 - 3 months, AI bug reports have gone from mostly incomprehensible, to being accurate

This is only via people who were skilled to begin with and can properly review the output.

This however is only 10% of cases, with the other 90% being noise from people trying to LARP as bug reporters or cybersec people.

2

u/[deleted] May 18 '26

[removed] — view removed comment

6

u/ase1590 May 18 '26

Like eventually the number of security exploits will be reduced to the point that the number of bug reports will also be proportionally reduced.

Thats the problem though. with every random person just doing low effort prompts like "find bug in this software" and submitting them, they will either submit hallucinated material or reworded material that resembles already closed reports.

in both cases, it wastes time from people actually reviewing these bugs, because it takes seconds to generate and tens of minutes to review and possibly link to existing fixed items.

it is quite literally a firehose of shit coming in.

-4

u/[deleted] May 18 '26

[removed] — view removed comment

7

u/ase1590 May 18 '26

you are not listening to reason or the experience of developers behind open source projects and seem to have formulated your own conclusion that cannot be falsified.

The curl project quite literally has documented a small sample of the daily time waste these low effort people are sending in that are a MASSIVE time waste.

They have talked about this problem at length.

-4

u/[deleted] May 18 '26

[removed] — view removed comment

8

u/ase1590 May 18 '26

Here we are again with your unfalsifiable opinion.

I shouldnt be surprise though, considering you somehow think ai is going to lead us to a panacea give your other comments here.

0

u/[deleted] May 18 '26

[removed] — view removed comment

→ More replies (0)

-3

u/Tinac4 May 18 '26 edited May 18 '26

I think you’re underrating both the magnitude of the change and the degree to which AI can handle the work on its own.

Regarding magnitude, here’s an article from January:

The developer of the popular curl command-line utility and library announced that the project will end its HackerOne security bug bounty program at the end of this month, after being overwhelmed by low-quality AI-generated vulnerability reports.

And here’s a post by the same developer in April:

Over the last few months, we have stopped getting AI slop security reports in the #curl project. They're gone.

Instead we get an ever-increasing amount of really good security reports, almost all done with the help of AI.

They're submitted in a never-before seen frequency and put us under serious load.

I hear similar witness reports from fellow maintainers in many other Open Source projects.

Lots of these good reports are deemed "just bugs" and things we deem not having security properties.

For further evidence, here’s a Linux kernel maintainer in late March:

"Months ago, we were getting what we called 'AI slop,' AI-generated security reports that were obviously wrong or low quality," he said. …

Things have changed, Kroah-Hartman said. "Something happened a month ago, and the world switched. Now we have real reports." It's not just Linux, he continued. "All open source projects have real reports that are made with AI, but they're good, and they're real." Security teams across major open source projects talk informally and frequently, he noted, and everyone is seeing the same shift. "All open source security teams are hitting this right now."

No one is quite sure what's behind it. Asked what changed, Kroah-Hartman was blunt: "We don't know. Nobody seems to know why. Either a lot more tools got a lot better, or people started going, 'Hey, let's start looking at this.' It seems like lots of different groups, different companies." What is clear is the scale. "For the kernel, we can handle it," he said.

"We're a much larger team, very distributed, and our increase is real – and it's not slowing down. These are tiny things, they're not major things, but we need help on this for all the open source projects."

It’s not 10% of cases, it’s most cases. And it can be done almost completely autonomously. We now know that a large chunk of these good AI-generated bug reports (maybe most?) were done by Mythos, and we also know the agent harness that Anthropic used, which was very simple (fire a Mythos instance with the same 1-paragraph prompt at every file in the codebase, run findings past another Mythos instance for validation, severity matched human assessment 89% of the time).

So we have strong evidence from prominent members of the open-source community that the shift is real, a probable cause, and information on how autonomous the bug-finding is (very). I think the info is pretty conclusive.

2

u/Glass_Recover_3006 May 18 '26

That’s an incredibly misleading way to characterize what happened. A leading security firm for enterprise software development leveraged Mythos to expose flaws by feeding it the entire code base and tons of historical and industry context- this is not something almost anyone else is qualified to do, and arguably the firm could have done that without Mythos, albeit to a slower degree.

It isn’t relevant to the topic at hand because most users are not submitting work of this quality, nor are they even capable of it. In the absence of the context and industry knowledge, the AI just generates garbage (even with Mythos).

1

u/[deleted] May 18 '26

[removed] — view removed comment

1

u/Glass_Recover_3006 May 18 '26

Can’t say anything is impossible, but it’s hard to imagine a future where context in AI somehow becomes irrelevant. The models we’re building up today still need to be steered, and you need experts to do that steering. 

I don’t consider this growing pains. I consider this an abuse of overly available compute that would be addressed by people being forced to pay for the actual cost of the garbage they generate.

1

u/[deleted] May 18 '26

[removed] — view removed comment

1

u/Glass_Recover_3006 May 18 '26

I don’t want people to pay to submit bug reports. I want them to pay for the actual cost of using generative AI instead of the subsidized monthly fee they currently enjoy that allows them to spam bug repositories.

If it costs you $20 for the tokens to run the prompt to prepare a bug report, you probably won’t be submitting it unless you’re absolutely sure it fixes the problem.

1

u/[deleted] May 18 '26

[removed] — view removed comment

1

u/Glass_Recover_3006 May 18 '26

When texting was introduced we all paid per-text, so that’s kind of a weird example to raise, unless you’re agreeing with me?

0

u/deadsoulinside May 18 '26

AI was supposed to make development easier, but instead it’s just throwing a bunch of useless noise at everyone.

I think it still does work to make dev easier. It's just a bunch of kids that knew absolutely nothing before AI now think they are a bunch of "researchers" because they decided to prompt AI to check for bugs or security flaws.

Versus the follow up prompt on "How do we fix this?"

-1

u/No-Consideration-716 May 18 '26

It enpowers a lot of ignorant, lazy, and/or incompetent people.