TU Delft research on the Impact of AI-Generated Security Reports on OSS Maintainers & Security Triage

Hi everyone,

I’m currently pursuing my MSc at TU Delft in TU Delft, Netherlands, where I’m conducting my thesis research on how AI-generated security bug reports are affecting open-source maintainers and security triage practices.

As LLMs become more capable, they seem to be lowering the barrier for generating vulnerability reports, bug submissions, and security-related findings. While this may increase accessibility and reporting volume, I’m also interested in understanding whether it creates new operational challenges for maintainers and security teams, for example around report quality, trust, triage workload, false positives, or signal-to-noise ratio.

Given the strong overlap between OSS security tooling and vulnerability workflows in this community, I was curious whether maintainers or security practitioners here have already started noticing changes related to AI-generated reports or AI-assisted submissions.

I’d be particularly interested in hearing perspectives on whether people have noticed changes in the volume or quality of security reports recently, whether AI-generated reports are easy to identify in practice, whether they meaningfully affect triage workflows or maintainer workload, and whether there are practices or tooling approaches that help filter useful signals from low-quality submissions.

I’d also be very grateful to speak with OSS maintainers or security practitioners who may be open to participating in a short research interview related to this topic.

Thank you, and I’d genuinely appreciate any perspectives or discussion from the community.

Hi @Sudharshan-02 - we would love to talk to you about this! Would you like to come on our to our regular community office hours and talk about this? Every other week we do a non recorded community office hours video call. The next one is at 2026-05-21T16:00:00Z on Zoom. You’re welcome to join us for that, and we can either talk then or use that time to set up another conversation.

If you can’t the community meeting, you can use my office hours link for discussing vulnerability data to set up a time to talk to me as well (this will also let us exchange email addresses) and I can share the invite with the team.

Hi Will,

Thank you very much for the invitation, I would be very happy to join the community office hours and discuss the research topic further.

I would really appreciate the opportunity to hear perspectives from the community and learn more about the workflows around vulnerability and security report handling in OSS ecosystems.

I will plan to join the session on May 21.

Thank you again for reaching out, and I’m looking forward to the discussion.

Best regards,
Sudharshan Kottiswaran

Hey Will,

Thank you again for inviting me to the call, I had a very nice conversation with Keith and Christopher and they have shown interest to further talk more. I would also love to talk to you about this and have booked a slot tomorrow 22nd May at 3.30 pm through your office hours link for discussing vulnerability data. Looking forward to our conversation.

Warm regards,
Sudharshan.