Why open-source crypto security could struggle in the age of AI slop

1. The growing challenge of AI-generated vulnerability reports

Open-source development has long rested on a core principle: The more eyes that examine the code, the greater the chance of finding flaws before malicious actors can exploit them. 

This idea has become central to crypto. Bitcoin, Ethereum, wallets, cross-chain bridges and decentralized finance (DeFi) platforms all depend on transparent code reviews, independent security experts and well-structured bug bounty programs.

By 2026, however, Linux founder Linus Torvalds had warned about a new issue. AI-assisted bug reports, instead of strengthening security, were starting to create the opposite effect. Poorly written submissions were flooding maintainers and making it harder to manage legitimate security channels.

The real problem is not that AI can find genuine issues. It is that these systems can generate large numbers of credible-looking reports that still require careful human review.

In open-source crypto projects, small teams often protect assets worth billions. In this context, the rising volume of low-value reports could become a serious security concern.

2. Linus Torvalds’ view on the issue

Torvalds shared his concerns during discussions about security reporting practices for the Linux kernel. His remarks were not aimed at AI tools themselves, but at how people were using them.

He said maintainers were seeing more duplicate, low-value submissions linked to similar AI-assisted methods. Many of these reports described possible problems without showing whether the flaw could be exploited, was already known, had been fixed earlier or had any real security importance.

This has created serious pressure for security teams. They cannot dismiss reports without checking them, as real vulnerabilities may sometimes appear among them. At the same time, each submission requires technical review, validation and follow-up analysis.

A report that takes only minutes to create with AI can require hours of expert time to assess properly. This imbalance is becoming a growing problem across open-source communities.

Did you know? The Linux kernel receives thousands of patches and bug reports during each development cycle. Maintainers increasingly worry that AI-generated submissions may take up more review time than they save.

3. How automated reports create security noise

AI tools can be effective at drafting technical content. They can review code repositories, detect unusual patterns and create reports that look professional and well-reasoned. However, a convincing tone does not prove that a real security weakness exists.

A legitimate security discovery usually requires several checks:

• Can the reported problem be consistently reproduced?
• Does it occur under realistic usage conditions?
• Does it affect critical assets or high-privilege functions?
• Has the matter already been identified or fixed?
• Is the issue purely theoretical or genuinely exploitable in practice?

AI-generated reports often fail to answer these important questions.

Security professionals and maintainers have reported more cases where automated systems highlight minor edge cases, misunderstand expected functions or overstate the seriousness of small details.

The challenge is that many AI-assisted reports are written in a polished way. As a result, separating weak submissions from serious threats can take more time and effort.

This is why some open-source security discussions describe the problem as noise or AI slop. The phrase refers to a rising volume of reports that take up significant resources while offering only modest improvements to overall protection.

4. Why open-source teams face more pressure

Large technology companies have more resources to manage this pressure. Companies like Google, Microsoft and Meta have dedicated security response teams, strong funding, advanced internal systems and organized triage processes. 

Open-source projects often do not have these advantages.

Critical infrastructure projects may depend on small teams, nonprofit groups or individual volunteers. Several major crypto libraries and protocols also operate with limited engineering resources.

This can leave them exposed to triage overload.

When maintainers spend too much time reviewing low-value AI-generated reports, several problems can follow:

• Legitimate vulnerabilities may take longer to review.
• Maintainers may face added stress or burnout risk.
• Security programs could become more restrictive.
• Public reporting channels may become harder to access.

This issue has prompted wider discussion in the open-source security community. Groups such as the Open Source Security Foundation (OpenSSF) and leaders of major projects have increasingly discussed the pressure caused by rising volumes of AI-assisted reports.

The issue is no longer hypothetical.

5. Why crypto projects may face a bigger problem

Crypto security faces higher pressure because vulnerabilities can put user funds at immediate risk.

A flaw in a social media platform might lead to data exposure or service outages. In contrast, a bug in a crypto bridge or DeFi protocol could lead to the loss of hundreds of millions of dollars.

This changes the stakes.

Crypto projects also rely heavily on open-source cooperation. Smart contracts, consensus mechanisms, wallets and decentralized applications are usually designed for public review. Bug bounty programs encourage outside researchers to find weaknesses before attackers do.

In theory, AI should improve this process. In reality, it risks overwhelming the system.

If bounty programs receive large numbers of AI-generated reports, maintainers may struggle to prioritize the issues that need urgent attention. Real researchers might have to compete with automated clutter. Major findings could remain stuck in review queues for longer periods.

This creates a specific risk for crypto because attackers do not follow the same disclosure rules as defenders. Threat actors can quietly use AI-assisted methods to search for flaws without alerting anyone.

As a result, defensive teams cannot afford slow or distracted triage systems.

Did you know? Some AI-assisted security tools can scan huge codebases within minutes. However, human researchers still need to confirm whether a vulnerability is actually exploitable in real-world conditions or only possible in theory.

6. The bug bounty incentive problem

Bug bounty programs were built on a basic idea: Finding serious vulnerabilities takes skill, effort and time.

AI changes this balance.

Contributors can now use large language models and automated scanning tools to review codebases, draft submissions and file reports at a much lower cost. This encourages high-volume submissions, especially from less experienced users trying to earn payouts through quantity.

The pattern starts to look like email spam.

When thousands of weak submissions can be created at little cost, some actors will try this approach. Even a small success rate could make it worthwhile.

For crypto projects, this may require difficult changes:

• Ask for stronger proof-of-concept evidence
• Raise submission standards
• Limit open bounty participation
• Focus on verified contributors
• Move toward selective, invitation-based security programs

Although these steps might reduce unwanted volume, they could also weaken the openness that has long been one of crypto’s key strengths.

7. More reports do not always mean better security

Open-source communities have long believed that wider participation makes software more reliable. Eric Raymond captured this idea with the observation that, with enough review, even complex flaws become easier to find.

AI complicates this view.

Not every contribution has the same value. Automated systems can quickly produce comments and observations, but effective security analysis still depends on human judgment and experience.

A valuable vulnerability report usually involves:

• Understanding protocol incentives and dynamics
• Identifying flaws in business logic
• Mapping possible exploit paths
• Considering real attack scenarios
• Separating theoretical weaknesses from flaws that can be exploited in practice

This kind of detailed review remains difficult to fully automate.

As a result, the main problem today may no longer be attracting more reports. It may be making sure skilled reviewers have enough time and focus to assess the reports that matter most.

8. How AI-generated reports could hide real crypto vulnerabilities

A major concern with excessive AI-assisted submissions is not just the loss of time. It is the risk that real vulnerabilities could be missed because of the high volume of reports.

Repeated exposure to overstated or weak reports may lead maintainers to treat new submissions with more doubt. This can slow the review of legitimate issues and create risky delays.

Attackers, however, need only one missed flaw.

Past crypto incidents have shown the severe consequences of delayed responses. Exploits targeting bridges, oracle systems and smart contract vulnerabilities have caused losses in the tens or hundreds of millions of dollars.

In systems filled with irrelevant noise, the chance of missing subtle but critical vulnerabilities can rise.

In an unintended twist, widespread AI-driven “security contributions” may eventually weaken the human oversight that has long made open-source security valuable.

9. What effective AI-supported security research requires

This does not mean AI has no value in security work. Experienced researchers are using these tools more often to speed up code review, fuzz testing, document review and exploit simulation.

Problems appear when AI outputs are submitted as complete findings instead of supporting material.

Careful use of AI in security reporting requires human oversight and validation.

Strong vulnerability reports usually include:

• Detailed reproduction steps
• Proof that the vulnerability can be exploited
• Context explaining the possible impact
• Confirmation that the issue has not been reported before
• A balanced assessment of its severity
• Practical recommendations to fix it, when possible

Put simply, AI may help with early detection, but human judgment remains essential for the final call.

This distinction is likely to become more important as projects update their disclosure rules and submission requirements.