Stenberg表示，2025年的上涨被像ChatGPT和Claude这样的AI助手放大，它们简化了提交报告的过程。此后，AI暴露进一步加速：Anthropic于2026年4月7日发布的Mythos声称可在主要操作系统和浏览器中自主发现并利用零日漏洞；英国银行将于下周获得访问权限；约40个核心维护机构被限制性授权访问，其中包括CrowdStrike和Linux Foundation。Anthropic还向维护者提供了400万美元资助，在其年化收入140亿美元中几乎可以忽略不计。OpenAI则推出了用于漏洞猎捕的GPT-5.4-Cyber。cURL代码库现已达到592,566行，遗留“cruft”与有限的维护者池共同放大风险。

随着AI分流扩大，不仅是难度，数量本身正在压缩为一个瓶颈。在cURL中，过去六个月内修复了超过200个由AI识别的问题。Willy Tarreau和Dirk Hohndel等人也将这种涌入描述为令人恐惧，或是对开发者的DDoS攻击；而2021年的Java漏洞在未及时打补丁时曾影响93%的云环境。安全激励也在变化：Google暂停了开源漏洞奖励项目的部分内容，Internet Bug Bounty暂停新提交。如果AI工具继续由人类审查且速度超过攻击者，对维护者的压力可能只会继续上升。

In 2025, Daniel Stenberg, sole full-time maintainer of cURL with six volunteer teammates, received 181 bug and vulnerability notifications—about the same as the previous two years combined. By April 9, 2026, the project had already logged 87 requests, putting annual reports on pace for about 325 by year end, roughly matching everything cURL received from 2020 through 2023. Because almost all triage and repairs are handled by one person, support pressure is highly concentrated: each report takes about two hours on average to fix, and even Easter Sunday saw five security alerts in one day.

Stenberg says the 2025 spike was amplified by AI assistants such as ChatGPT and Claude, which simplified report submission. Since then, AI exposure has accelerated: Anthropic’s Mythos, announced on April 7, 2026, claims it can autonomously discover and exploit zero-day vulnerabilities across major operating systems and browsers; UK banks will get access next week; around 40 critical maintainer organizations were granted limited access, including CrowdStrike and the Linux Foundation. Anthropic also offered $4 million in maintainer grants, tiny against its $14 billion run-rate revenue. OpenAI responded with GPT-5.4-Cyber for vulnerability hunting. The cURL codebase now totals 592,566 lines, and legacy “cruft” plus a small maintainer pool increases risk amplification.

As AI-driven triage scales, not only difficulty but volume itself is turning into a bottleneck. In cURL, more than 200 AI-identified issues were fixed in six months. Others like Willy Tarreau and Dirk Hohndel have described this flood as frightening, or a DDoS attack on developers; and the 2021 Java vulnerability once affected 93% of cloud environments if unpatched. Security incentives are also shifting: Google paused parts of its Open Source Vulnerability Reward program, and Internet Bug Bounty paused new submissions. If AI tools remain human-reviewed and continue getting faster than attackers, pressure on maintainers is likely to rise further.