RSS

The Calculator Discipline – AI-Assisted Disclosure Hallucinations

ethical1 pts0 comments

The Calculator Discipline — AI-Assisted Disclosure Hallucinations | Zenodo

Skip to main

You are using an outdated browser. Please upgrade your browser to improve your experience.

Published May 26, 2026

| Version 1.0

Working paper

Open

The Calculator Discipline — AI-Assisted Disclosure Hallucinations

Authors/Creators

Thomas, Stuart Paul<br>(Researcher)

Description

AI assistance has made source-code review cheap, and like every productivity multiplier in the history of engineering it has therefore made being wrong cheap. The open-source security community has spent the last eighteen months noticing the result: bug-bounty intake queues drowned in plausible-sounding but fabricated vulnerability reports, with the curl project's January 2026 closure of its HackerOne programme the headline example. The conversation so far has mostly been complaint. What is missing is a taxonomy of the failure modes, a pre-send filter that catches the most mechanical of them, and honest case studies from researchers who have themselves shipped the slop.

This paper supplies all three. We propose a four-class taxonomy (bug-shape fabrication, evidence fabrication, severity inflation, trivial-as-critical), present two real disclosure withdrawals and one near-miss caught before send, and describe a working pre-send tool (hallucination_check.py) whose four verifiers were derived from those cases. The author is one of the people who shipped the slop; the discipline described here exists because the failure happened to him.

The framing throughout is that AI is a calculator: a tool that makes a careful user faster and a careless user wrong faster. The fix is not to disown the calculator; the fix is to apply calculator discipline.

Other

The paper is released under CC BY 4.0. The accompanying tool described in section 6 (hallucination_check.py, approximately 35 KB) is released separately under the BSD 2-Clause Licence and is distributed via the project's public artefacts directory.

Case studies in sections 2 and 3 reference disclosures made to the OpenBSD project (bugs@openbsd.org and security@openbsd.org) during May 2026. Verbatim text of security@openbsd.org correspondence is not reproduced in this paper out of respect for the list's private status; paraphrasing in section 3 preserves the substance.

This paper was drafted with LLM assistance (Claude, Anthropic) as a reasonable adjustment under Equality Act 2010 &sect;20 (neurodivergent author). The author independently verified every cited file path, commit hash, person's name, and URL before publication.

Files

TheCalcDisc.pdf

Files<br>(102.5 kB)

Name<br>Size

Download all

TheCalcDisc.pdf

md5:ee8c526abee9ab32480f3e24743b010b

102.5 kB

Preview

Download

Additional details

Identifiers

URL

https://stuart-thomas.com/research/calculator-discipline/

URL

https://triageforge.co.uk/pages/case-study-calculator-discipline.html

Related works

Is documented by

Publication:

https://triageforge.co.uk/pages/case-study-calculator-discipline.html

(URL)

Is identical to

Publication:

https://stuart-thomas.com/research/calculator-discipline/

(URL)

Dates

Available

2026-05-26

References

[1] D. Stenberg, "Death by a thousand slops," daniel.haxx.se, 14 July 2025. https://daniel.haxx.se/blog/2025/07/14/death-by-a-thousand-slops/

[2] D. Stenberg, "The end of the curl bug-bounty," daniel.haxx.se, 26 January 2026. https://daniel.haxx.se/blog/2026/01/26/the-end-of-the-curl-bug-bounty/

[3] D. Stenberg, "AI slop attacks on the curl project," daniel.haxx.se, 18 August 2025. https://daniel.haxx.se/blog/2025/08/18/ai-slop-attacks-on-the-curl-project/

[4] B. Toulas, "Curl ending bug bounty program after flood of AI slop reports," BleepingComputer, 2026. https://www.bleepingcomputer.com/news/security/curl-ending-bug-bounty-program-after-flood-of-ai-slop-reports/

[5] "AI is drowning software maintainers in junk security reports," Help Net Security, 18 May 2026. https://www.helpnetsecurity.com/2026/05/18/problems-with-ai-assisted-vulnerability-research/

[6] T. Krazit, "cURL's Daniel Stenberg: AI slop is DDoSing open source," The New Stack, 2026. https://thenewstack.io/curls-daniel-stenberg-ai-is-ddosing-open-source-and-fixing-its-bugs/

[7] "AI slop got better, so now maintainers have more work," The Register, 6 April 2026. https://www.theregister.com/software/2026/04/06/ai-slop-got-better-so-now-maintainers-have-more-work/5223172

12

Views

11

Downloads

Show more details

All versions<br>This version

Views

Total views

12

12

Downloads

Total downloads

11

11

Data volume

Total data volume

1.3 MB<br>1.3 MB

More info on how stats are collected....

Versions

External resources

Indexed in

OpenAIRE

Communities

Keywords and subjects

Keywords

vulnerability disclosure AI-assisted research hallucination bug bounty triage OpenBSD responsible disclosure methodology software security disclosure ethics LLM-assisted code review

Details

DOI

DOI...

https calculator discipline slop curl daniel

Related Articles

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully

How to Earn a Billion Dollars

kingstoned15 ptsmonth become startup growth years billionaire
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.