AI Security Firm Sued for Hallucinated cURL Vulnerability Reports

The False-Positive Flood

Fewer than 1 in 20 vulnerability reports submitted to cURL's program were actually real, with the rest AI-generated false positives. The deluge forced cURL maintainers to shut down the entire program—a drastic step for a tool relied upon by millions of developers and embedded in critical systems worldwide.

AI vulnerability scanning tools have been documented producing false-positive rates as high as 80% in some assessments. This isn't a minor inconvenience. Every false alarm consumes analyst hours, delays real security work, and erodes trust in automation.

Economic and Reputational Damage

The stakes are real. A false vulnerability report can tank a company's stock, trigger expensive remediation efforts, or destroy a product's reputation. Consider the ripple effect: security teams divert resources to investigate phantom threats, patch management gets tangled in false urgency, and confidence in the tool itself fractures.

AI hallucinations—the tendency of large language models to generate plausible-sounding but entirely fictional information—have already caused damage elsewhere. Lawyers have been sanctioned for citing fake case law generated by AI. The vulnerability scanning space faces the same credibility crisis, but with higher stakes: security researchers and infrastructure teams depend on accuracy to protect the internet itself.

Why This Matters

The cURL case exposes a fundamental problem: AI tools marketed as force multipliers can become force drains when accuracy fails. The industry has built workflows around automation without solving the hallucination problem. Until AI systems can reliably distinguish signal from noise, human gatekeepers remain non-negotiable—and the cost of that oversight keeps climbing.