AISLE Discovered 5 CVEs in curl. Now curl Uses Our AI to Secure Its Code

Author

Joshua Rogers

Date Published

AISLE curl CVE findings and partnership

AI-generated slop buried maintainers in low-quality reports, but AISLE’s autonomous analysis uncovered real vulnerabilities.

In late 2025, the curl project closed its paid bug bounty program after 7 years, 81 discoveries, and over $90,000 in rewards. Its lean team had become overwhelmed by a flood of low-quality, AI-generated submissions. It was, as curl’s creator Daniel Stenberg put it, “death by a thousand slops.”

But there was a diamond in the rough of AI findings. According to Stenberg, “a new breed of analyzer” had emerged. In the months before the curl project retired the paid bounty, 24 curl pull requests were attributed to AISLE’s AI platform and five security issues were assigned CVEs, for a total of 29 valid findings.

So even though AI killed curl’s paid bug bounty, curl maintainers have been using AISLE to proactively spot and fix vulnerabilities since early February. And we now have an interesting measurement of its performance: Mythos.

What AISLE Discovered

In total, AISLE discovered five CVEs in curl. These are:

When we noticed that the AISLE platform had flagged an issue with the wolfSSH backend, we trained it on wolfSSH and uncovered two additional CVEs there:

Raising the Ceiling

Even as mediocre AI reports made it difficult for curl’s maintainers to make their way through submissions, high-quality systems like AISLE’s discovered dozens of valid security issues. As our co-founder Stanislav Fort notes in LessWrong,

This is a really clear example of a very common bifurcation of the top of a distribution from its median. Mass adoption collapsed the median quality (“slop” killed the bug bounty = a very viral story for people who assume that AI is bad at things a priori), but simultaneously raised the ceiling (we found many real vulnerabilities that the curl team valued enough to patch, assign CVEs to, and pay bounties for).

AI resists generalization. Yes, it shuttered the bug bounty, but it also made it obsolete. Though curl is no longer rewarding outside researchers for discovering vulnerabilities, it is using AISLE internally to achieve the same goal: thorough, continuous assessment.

Mythos Weighs In

When Anthropic announced project Glasswing in April 2026, it committed to making its cybersecurity model, Mythos, available to select open source projects. In May, Stenberg wrote that Mythos had scanned curl’s git repository and its master branch on a recent commit, with 176,000 lines of C code.

After he reviewed its report, he concluded that Mythos had found one issue deserving of CVE designation. It was a low-severity issue. In addition, there were a number of bugs currently being reviewed by the curl team.

Following AISLE’s discoveries in the April 2026 releases of OpenSSL and FreeBSD, this result is further confirmation of our thesis that cybersecurity capability is jagged. Rather than being tied to a single frontier model, cyber reasoning is a multi-phase process best solved by a multi-agent system. And for enduring results, that system must do more than analyze: it must triage, remediate, and validate at machine speed.

Safeguarding the Software Foundations of Modern Civilization

As machine-generated code strains the incentive systems that make open source possible, we believe AISLE can even the playing field. That’s why we’re excited to be providing it to the curl project so they can fight fire with fire.

Curious to see what AISLE can do for your organization? Reach out to us.