I've been helping a bit with OWASP documentation lately and there's been a surge of Indian students eagerly opening nonsensical issues and PRs and all of the communication and code is clearly 100% LLMs. They'll even talk back and forth with each other. It's a huge headache for the maintainers.
I suggested following what Ghostty does where everything starts as discussions - only maintainers create issues, and PRs can only come from issues. It seems like this would deter these sorts of lazy efforts.
> Indian students
Is this cultural? I ran a small business some years ago (later failed) and was paying for contract work to various people. At the I perceived the pattern that Indian contractors would never ever ask for clarifications, would never say they didn't know something, would never say they didn't understand something, etc. Instead they just ran with whatever they happened to have in their mind, until I called them out. And if they did something poorly and I didn't call them out they'd never do back as far as I can tell and wonder "did I get it right? Could I have done better?". I don't get this attitude - at my day job I sometimes "run with it" but I periodically check with my manager to make sure "hey this is what you wanted right?". There's little downside to this.
Your comment reminded me of my experience, in the sense that they're both a sort of "fake it till you make it".
Indian here (~15+ years in tech). I've seen this behavior a lot, and unfortunately, I did some of this myself earlier in my career.
Based on my own experience, here are a few reasons (could be a lot more):
1. Unlike most developed countries, in India (and many other develping countries), people in authority are expected to be respected unconditinally(almost). Questioning a manager, teacher, or senior is often seen as disrespect or incompetence. So, instead of asking for clarification, many people just "do something" and hope it is acceptable. You can think of this as a lighter version of Japanese office culture, but not limited to office... it's kind of everywhere in society.
2. Our education system mainly rewards results, not how good or well-thought-out the results are. Sure, better answers get more marks, but the gap between "okay" and "excellent" is usually not emphasized much. This comes from scale problems (huge number of students), very low median income (~$2400/year), and poorly trained teachers, especially outside big cities. Many teachers themselves memorize answers and expect matching output from students. This is slowly improving, but the damage is already there.
3. Pay in India is still severely (serioualy low, with 12-14+ hour work days, even more than 996 culture of China) low for most people, and the job market is extremely competitive. For many students and juniors, having a long list of "projects", PRs, or known names on their resume most often the only way to stand out. Quantity often wins over quality. With LLMs, this problem just got amplified.
Advice: If you want better results from Indian engineers(or designers or anyone else really), especially juniors (speaking as of now, things might change in near future), try to reduce the "authority" gap early on. Make it clear you are approachable and that asking questions is expected. For the first few weeks, work closely with them in the style you want them to follow.. they usually adapt very fast once they feel safe to do so.
I've seen an interesting behavior in India. If I ask someone on the street for directions, they will always give me an answer, even if they don't know. If they don't know, they'll make something up.
This was strange. I asked a lot of Indian people about it and they said that it has to do with "saving face". Saying "I don't know" is a disgraceful thing. So if someone does not know the answer, they make something up instead.
Have you seen this?
This behavior appears in software projects as well. It's difficult to work like this.
> I've seen an interesting behavior in India. If I ask someone on the street for directions, they will always give me an answer, even if they don't know. If they don't know, they'll make something up.
Isn’t this the precise failure pattern that everybody shits on LLMs for?
sounds like an LLM :)
> Pay in India is still severely (seriously low, with 12-14+ hour workdays, even more than the 996 culture of China) low for most people.
My employer outsources some work to Indian contractors. I know how much we are paying the contracting firm, which is low. Knowing the firm takes a cut before the contractors are paid, I feel terrible for how little they are compensated. I frequently wonder if we’d get better output if we paid more.
Avoid middlemen in India.. sorry for the word, but they are the biggest leechers. We hate them too here.
India is filled with small one-room service-based companies(the middlemens') that hire interns, for ZERO pay, make them work 12-14 hour days under extremely "humiliating" conditions and then when it comes to giving them internship completion certificate, they demand huge sums of money just to release them... think about it.
As for how you are gonna do without the middlemen, I dont have the anwer yet... ideas are welcome.
The good engineers in india know their value and get it. My company has offices in india because you have to manage them yourself not use middlemen. You can train the locals to be great managers (at least some).
wages for good people in india are worse similar people in the us, but often high than in europe. But there are other problems with europe and so it can be the better deal.
Could you expand on the other problems with Europe other than hiring and firing laws?
Yes, you would (speaking from experience)
Particular topic (1) is also trained in cross cultural trainings.
Another topic is: do not expect a remote dev to pickup ambient knowledge, particular if they are juniors with no life experience. And since outsourcing to India is trying to get the resources for the lowest possible price, the result is: you get them as junior / fake senior / bad senior as you think. Pay better in India, get better people.
This is extremely valuable insight for me, a non-Indian manager.
Thanks a lot!
Glad it was of help :)
Alternatively you could hire people from cultures where this crap doesn’t fly.
Since we are talking about LLMs, what I've noticed about the Indian/Pakistani "LLM" is they almost always have this way of structuring thoughts:
1. They
2. Always
3. List
4. Things
And end up with a conclusion/punchline/takeaway.
I always wanted to ask, is that by training?
I can imagine all schools over there have a specific style, like all their assignments need to have this general form, and then they just get used to it and it permeates in their everyday life.
That's how all LLMs structure content, not just Indian/Pakistani LLMs.
This sounds like a real cross-cultural mismatch, but it’s doing too much work with nationality alone. In a lot of Indian (and broader South Asian) work contexts, questioning instructions can be read as challenging authority or admitting incompetence, so people default to executing without asking. That’s often reinforced by education systems and contractor dynamics where producing something quickly feels safer than pausing to clarify.
Add in time zones, language friction, and fear of losing work, and "just run with it" becomes a rational strategy. Meanwhile, many Western workplaces treat clarification and check-ins as professionalism, so the behavior reads as strange or careless.
The key point is that this usually isn’t lack of curiosity or reflection, but risk management under different norms. The pattern often disappears once expectations are explicit: ask questions, check back, iteration is expected.
Yeah, I agree, the time zones are killer, and this can't be ignored. I work at a company spread over most of the world, with SMEs coming and going as the globe spins.
Back-and-forth iteration and consultation is a genuinely hard problem. Certain kinds of feedback cycles have a minimum latency of "overnight". Which means we need to invest heavily in good communication.
But also, it means more people need to have the "big picture", and they need to be able to make good decisions (not just arbitrary ones). So the ideal goal is to prevent people from going off in random nonsensical directions based on miscommunication, and equip them to actually think strategically about the overall plan. Continent X might make different decisions than continent Y, but they're all talking, and enough people see the goal.
A lot of the international teams I've seen pull this off are ones where an Eastern European or Indian team is just another permanent part of the company, with broad-based professional expertise. Contractors on any continent are a whole different story.
So I think what a lot of people try to blame on Indian management culture (or whatever) really is just a case of "we hired contractors in a different time zone." I mean, there are always cultural issues—Linus Torvalds came from a famously direct management culture, and many US managers tend to present criticism as a not-so-subtle "hint" in between two compliments—but professionals of intelligence and goodwill will figure all that out eventually.
> But also, it means more people need to have the "big picture", and they need to be able to make good decisions (not just arbitrary ones). So the ideal goal is to prevent people from going off in random nonsensical directions based on miscommunication, and equip them to actually think strategically about the overall plan. Continent X might make different decisions than continent Y, but they're all talking, and enough people see the goal.
Very common pattern you see in literature about military strategy, actually. The answer is delegation, heavy use of NCOs, and in general explaining the plan all the way down to the individual soldier. Under the western school it all falls under "initiative".
Notably, a lot of non-western militaries are terrible at it, and a number of military failings in africa, the middle east, and the soviet union (*cough*russia*cough*) are viewed as failures in flexibility with very low initiative, as well as lacking/unskilled NCO corps.
Dunno how you apply that to an organization, but maybe sending skilled workers as a kind of non-comissioned officer could work. Who knows.
Army manual FM 22-100 is a very good read on this topic. The impact of giving NCOs both freedom amd guardrails is immense.
link here (ironically, on a blog that critiques it)
> Dunno how you apply that to an organization, but maybe sending skilled workers as a kind of non-comissioned officer could work. Who knows.
The most successful engagements I've had with contracting firms have been when we've shelled out for a team manager and a software architect (in addition to the number of straight developers we want).
The software architect builds a solid understanding of our solution space, and from then on helps translate requirements into terms their engineers are familiar with, and provides code reviews to ensure their contributions are in line with the project goals. The team manager knows how to handle the day-to-day reporting, making sure everyone is on task, escalates blockers over the fence to our engineers and managment, etc.
Without those two roles from the contracting firm's side, I find that timezones and cultural mismatches (engineering culture, that is) pretty much erase the impact of the additional engineering headcount when adding contractors.
Explaining the plan to the individual soldier also works better when the individual soldier is expected to care at all about the overall goal. (Such as believing in the mission of defending the home country.) When the soldier only has extrinsic motivation such as money, top-down command and control and treating soldiers solely as equipment to be spent makes more "sense", in a terrible way.
Maybe that applies to software orgs too, somehow.
> the time zones are killer, and this can't be ignored
100% agree, especially when there is minimal overlap during normal office hours. I was managing a dev team in India from the US and it was a real challenge. The company ended up moving team to the US, relocating most of my team. Despite all the people being the same, management became much easier.
Since then I've done US and EU, and EU and IN, and those have all worked fine because we had sufficient overlap during business hours.
If you needed 8 hour overlap you were micromanaging?
Was that because of the above cultural differences?
He didn't need 8 hours, but zero didn't work. The us and india are about 12 hours apart (there are 4 times zones in the us, day light savings time, and india is offset half an hour, but it rounds out to 12 hours for discussion)
> questioning instructions can be read as challenging authority or admitting incompetence, so people default to executing without asking
That’s ego, assuming doing is the value, not doing RIGHT.
Doing alone has almost zero value.
It’s how not to get fired, ostracized, etc. I don’t understand how you read that as ego.
Izzat
> That’s ego, assuming doing is the value, not doing RIGHT.
No. That's lack of labor protection laws and the effect that this causes on how companies are run.
To add to that, it is culturally acceptable and even lauded in India to achieve something by "gaming the system", something usually considered unethical in the west (okay maybe less so in the US).
I would be ashamed to submit an AI slop PR or vulnerability report.
An indian might just say "I have 25 merged PRs in open source projects"
Term for this is "chalaki"
It is cultural - the whole "not losing face" thing. In a project, I once was squad lead - I was onsite, my squad members were in Bangalore of course. Same experience as you. Once I wanted to talk about a piece of code that we need to improve and refactor, and I was acting in good faith calling the dev that commited that code. When I braught up the code on my screen to start a pair programming, he immediately denied having written the code. Unfortunately for him, being a junior, he did not know about git blame - I entered it in the terminal and his name showed up on that code. Still, he would simply just deny that he wrote it. I then took the git commit hash and looked it up in gitlab, able to bring up the MR he created and the reviewer (wasn't me). Even with that on screen, he still denied being the author - with no arguments or alternative reasoning, he just constantly would repeat "No, I haven't written that". "No no, but I haven't written it". I pulled even the JIRA ticket up, that was about that feature and guess what - he was the assigne and moved it to "In Progress" and "Done". Still with that on screen all I got was a "no, haven't written it".
I had more of those interactions, and we also exchanged some of the indian devs (they were sold to the client by a big consulting group, and immediately replaced by someone else if we wished). I later found out, people that I have had replaced in my sqaud for not being qualified, ended up in different teams in the same corporation, they were basically just moving around inhouse.
After a few month in the project I swore to myself never to work with offshores again. And as a side note, the bank I did the project with, does not exist anymore :)
My guess would be yes, it's cultural. I'm not Indian but spent about 5 months there. Overall my impression was that people act much more on direct feedback.
It would be typical to do the first thing that comes to mind, then see what happens. No negative feedback? Done, move on. Negative feedback? Try the next best thing that makes the negative feed back go away.
People will not wonder whether they might bother you. Just start talking. Maybe try to sell you something. That's often annoying. But also just be curious, or offer tea. You react annoyed and tell them to go away? They most likely will and not think anything bad of it. You engage them? They will continue. Most likely won't take "hints" or whatever subtle non-verbal communication a Westerner uses.
I found it quite exhausting in the beginning, it feels like constantly having to defend myself when I want to be left alone. But after I started understanding this mode and becoming more firm in my boundaries, I started to find it quite nice for everyday interactions. Much less guessing involved, just be direct.
Professionally I haven't worked much with Indians, but my expectation would be that it's necessary to be more active in ensuring that things are in track. Ask them to reflect back to you what the stated goal is. Ask them for what you think are obvious implications from the stated goal to ensure they're not just repeating the words. Check work in progress more often.
That is a cultural thing, and one of the first things you learn to handle when working tightly together with Indians as an outsider.
I can't remember all the techniques but a simple trick is to ask them to repeat their understanding back to you before they start working on a thing.
But I don't think it's connected to sending "malicious" reports. That seems rather to be to pad their resume and online presence while studying to get an edge in hiring.
You know who also needs a lot of micro-management but doesn’t live in a time zone, is way faster than offshore contractors, scales up and down instantly, has no onboarding period and is (still) cheaper? Opus.
Ehh nothx. I like my slop human powered
Random interjection: if all roads lead to management, I guess I'd prefer a robot
Of course it’s cultural, they have to compete with thousands people just like them in environment where human life is cheap and anyone is replaceable. Any authority have huge weight, which comes from historical system how society is separated. And then any education they receive assumes cheating at exams, then cheat with CV, then cheat with work they do. It’s all about appearances.
Maybe. I have hated crowds all my life. I can always see filth in people. I have helped people cheating at interviews. I want to vomit everytime somebody asks me to make a CV. Vomit in the sense I genuinely hate overselling myself but if I don't, I just don't. And what I'm open if you want to ask any question about me?
I used to work with colleagues from China in contracting and I had the same experience with them. If they don't know something they have hard time saying that they don't know something or don't understand something.
Ficticious Example could be
Q: is this car red? A: it's not green. Q: yeah I know it's not car. But is it red? A: today is Thursday.
One thing I leaned it's not worty pressing forward and causing a scene. Instead Use other ways of finding the information.
When guiding team members I always found it useful to have them explain back to me in their own words what they're tasked to do. It become immediately obvious if they were on the right track or not.
From a half-Indian friend of mine, he described this as "ask vs guess" culture. https://medium.com/redhill-review/navigating-ask-and-guess-c...
Ask culture scales a lot better in a fast changing world full of strangers. Guess culture saves friction, but only in situations where people are mostly guessing correctly because the social structure and expectations are fixed.
> never ever ask for clarifications, would never say they didn't know something, would never say they didn't understand something
I experienced this same thing working with offshore Indian contractors 20 years ago. Interesting to hear someone else echo my observations.
I recently heard from a friend that this is due to something called "izzat". Admitting any sort of wrongdoing would reflect poorly on them and their family, to the point they would rather lie or do the wrong thing than damage their family's reputation.
I had the same exact experience with an Indian contractor. I requested that he used git instead of Shopify CLI for his changes to a store's theme. He acknowledged my request but kept using the CLI. I once again asked him to use git and even offered a detailed, step-by-step guide on how to pull, branch and then push changes. He absolutely ignored everything and simply kept using the CLI. That was actually amazing to witness. The only hypothesis I have is that it's some kind of cultural thing where asking for help is worse than doing the opposite of what's expected from you. I don't know, but your story supports my hypothesis.
I believe it has to do with saving face.
I've worked with mixed nationality teams at a certain 4 letter austinite corporation a couple thousand moons ago. One thing in common with my Asian colleagues back then (many of which i still keep in touch with to this day), is that they would usually refrain from saying things that could rock the boat or disappoint you. If they lacked knowledge for the task at hand, they wouldn't let you know. If they were late on a delivery, they'd insist it would be ready by a certain date. This led to situations where other regional managers would have to plan contingencies to work around the issue.
This is called "saving face"[0] and it's very common in some Asian cultures. Western societies prefer directness, and eastern ones prefer harmony.
0: https://en.wikipedia.org/wiki/Face_(sociological_concept)
There are also a lot of Indian students (there are 1.4bn Indians). There are lots of IT jobs, therefore presumably lots of IT students, and unlike in China Internet access (e.g. to GitHub) is not restricted.
How much are the contractors being paid?
The people having a terrible time with Indian contractors always deal with folks making 3k-10k USD/year. Of course the quality is bad.
For reference:
Good Indian devs out of college make atleast 30k USD. Good senior devs make atleast 50k. The really good ones make much more. Most American companies outsource to bottom of the barrel contracting companies like Infosys.
This is hilarious and reminded me of the two stints I had in India, for about 8 months in total at the turn of the century. I was a hippy traveler and asking directions for almost anything was par for the course. I never had anyone local say they didn't know where something was once asked, even though me following their directions lead to the intended target maybe 10% of the time. It was funny and infuriating at the same time :)
Indian students were the reason that Google's Hacktoberfest was critiziced and ultimately terminated
Indian students have a long history of disrupting free/libre projects, this is nothing new
Hacktoberfest was run by Digital Ocean. You might be mixing it up with Google's summer of code.
It's desperational. The desperation of not having to lose any contract. The desperation of being just one bad year away from being on the streets and having to live a terrible life (no food security).
For students, often there is no pathway to actually become good due to lack of resources. So, the only way is to fake it into a job and then become good.
Yes it's "fake till you make it" without the making part
Askers vs Guessers: https://www.theatlantic.com/national/2010/05/askers-vs-guess...
selfishness, laziness, lack of self-awareness, lack of shame, etc are obviously universal traits. But cultures absolutely reinforce them to different degrees. Many cultures around the world are built around the sorts of behaviors we both described.
Whereas other cultures have at least some (if not a lot of) resistance to it - eg publicly ridiculing when people step flagrantly out of line. This is good. My impression is that British culture is like this - "taking the piss", or worse, out of people whose egos start to get too large
Edit: what about this comment could possibly be worth a downvote...? Not that I care about points, but it just seems to be an objective assessment of human nature and cultures, without even singling out any cultures that need improvement.
people who actually have a life generally don't spend time hanging around internet forums so it's important to consider that a disconnection from reality is involved in places like these , thru my eyes you have restated the idea of low trust vs high trust societies without building on top of the idea , which isnt downvote worthy but isnt upvote worthy either
I didn't expect up votes. I also wasn't about to write a treatise. And saying "low trust vs high trust societies" wouldn't be meaningful, nor would it actually be accurate. The issue here isn't trust - it's humility, integrity, conscientiousness, etc. Trust often comes along with such traits, but it's not the core issue.
Use proper grammar and syntax and read the guidelines. Also, not giving a shit what others think here helps.
What grammar and syntax was improper...?
You don't sound like a LLM :)
Your grammar and syntax is fine for the medium and audience. I did downvote that post, somewhat ironically because you edited it to ask about someone else’s downvote. But otherwise carry on.
Possibly as a consequence of this, what I have observed working with Indians is a very hierarchical structure in which you have a "lead" or "architect" who spells out what to do and how to do it in minute details and micromanages, and "devs" who execute as instructed.
I worked at a company where we had a untouchable manager who had some Brahman caste devs report to him and they absolutely HATED this.
I think it's mostly not cultural but just bad engineers lying. IT jobs pays the best in India, and it attracts people who have no skills in IT to just fake their way in.
So for every good developer in India there are probably 20 bad ones who have no idea what they are doing.
>Indian students
Resume glorification and LinkedIn / GitHub profile attention do that.
I am seeing a lot of people coming up with perceived knowledge that's just LLM echo chambers. Code they contribute comes straight out of LLMs. This is generally fine as long as they know what it does. But when you ask them to make some changes, some are as lost as ever.
Torvalds was right, code maintenance is going to be a headache thanks to LLMs.
>This is generally fine as long as they know what it does.
Thanks to their LLM reliance they'd soon not know what it does, and forget even the little they know about coding
> Resume glorification and LinkedIn / GitHub profile attention do that.
I wondered why people would video themselves going around slapping strangers in public then shouting "its just a prank bro" - turns out it works.
Regard to code maintenance:
I’m actually of the mind it will be easier IF you follow a few rules.
Code maintenance is already a hassle. The solution is to maintain the intent or the original requirements in the code or documentation. With LLMs, that means carrying through any prompts and to ensure there are tests generated which prove that the generated code matches the intent of the tests.
Yes, I get that a million monkeys on typewriters won’t write maintainable code. But the tool they are using makes it remarkably easy to do, if only they learn to use it.
I’m not sure why the downvotes. I think the poster is basically saying the same thing as this YouTube-er. I read “Million monkeys” as referring to LLMs.
I've seen this - it's tiring even at low volume. Goes something like:
Someone creates a garbage issue. Someone else asks to be assigned. Someone from the project may say "we don't assign issues" (this step has zero effect over later steps). Someone else submits a PR. Maybe someone else will submit another PR. Maintainers then agonise how they can close issues and PR(s) without being rude or discouraging to genuine efforts.
You've been getting PRs? All I've ever seen is "can you assign this issue you me" spam and then disappear. I was nice to them for years but now I just delete the comment and block the users.
Yeah, the "can you assign the issue to me" is the most common. I don't even understand where it came from - does anyone ever actually formally assign issues to anyone?
But they absolutely also create PRs even if you say "don't create a PR. You don't know what you're talking about"
This is precisely what we've seen
Those maintainers should be using LLMs to crate their breakup letter with the Issue/PR submitters!
Reminds me of this Indian GitHub tutorial on how to open a PR on GitHub. The video got millions of views and has flooded a specific repo with countless README update PRs of people (mostly Indian) trying to append their name to the README.
Article about it here: https://socket.dev/blog/express-js-spam-prs-commoditization-...
Heh, reminds me of that free T-shirt contest thing... Submit crap PRs to random FOSS projects for a chance of winning a shirt, what could go wrong?
worked well for a bit. but then the program became popular and that’s when it hit the curb. terrible loss, imo. it was a brilliant idea to encourage open source work with a token reward. it relied heavily on good intentions, which quickly disappeared with the popularity.
It’s still ongoing. The difference is they now no longer offer t-shirts (at one point they planted trees instead, unsure if that still happens), and projects must opt-in.
They offered T-Shirts in 2025
I have one of these and it was really nice in the first 1-n years.
People gamified it and then it sucked, but the idea wasn't so bad. One would expect people would not stoop this low for a free T-Shirt.
this is why we cant have nice things
I contribute regularly to some major open source projects and it’s happening here too. So many issues that aren’t issues. Constant “fixing” of documentation that doesn’t need to be fixed. Bug reports that aren’t bugs, followed by a bad PR “fixing” the “bug.” Or YOLOing an LLM PR to change major behavior that users are relying on. And I click and the authors are always brand new, with only vibe coded or examples projects in their history, and have some truly awful LLM generated GitHub “about me” page complete with emojis and links to their GitHub “projects.”
My suspicion is somehow the perception became that if you’re brand new and land a PR in a major open source repo (even as simple as rewording a phrase in a doc that doesn’t need to be reworded), that would help them get a job (they’re always Open to Work on their GitHub about me page).
It’s so much noise that it’s hard to find the real issues.
Everything about this is exactly what is happening in OWASP repos.
I pick the "block" option on the junk issue, and tick the "Send a user notification and show activity in timeline". The text says "A public timeline entry will show that this user was blocked" which I hope discourages them from wasting our time.
I seem to remember there was a large (indian?) educational YouTuber who did a tutorial on how to use Git where they forked a FOSS repo, made a change to the README.md and then made a PR. This caused a huge influx of garbage PRs for that particular repo and other FOSS repos.
Usually the protection against such spam is social shame but the internet is now full of people who have no shame because shame was never part of their culture. It would be more effective to use GeoIP in this case.
It’s not just the Internet. It’s politicians and businesspeople and more generally, shameless citizens.
There’s a lot to dislike about shame as an enforcement mechanism but I’m starting to miss some of the upside it delivered.
Internet reputation became easy to launder, thus meaningless.
Noticed it in corporate context too. About 40% of the performance feedbacks I saw this year were AI written. India and USA crowd. Everything from Europe looked pretty organic but imagine that’ll change too next cycle
I've noticed this also. But I didn't ascribe it to LLMs, rather figured there is some sort of rogue educator in India who's instructing students to do this on public repos and they just don't know better. But the prof should.
It's likely because of Google Summer of Code. OWASP has participated as an org several times and it's highly likely that they'll participate this time too.
Students often start making PRs around this time to get more familiar with projects before they can put in a proposal when the time comes.
As someone who's been a programmer for a while now, I feel it's pretty easy to identify slop code and when someone is using an LLM to communicate on issues. I'm not against using LLMs for writing code or even for using it to improve your communication, but it cannot be a substitute for critical thinking.
If I was a maintainer of an OSS project, I'd be more likely to _not_ select students who put out slop PRs, proposals, or messages without thought. And also make this clear in the contributing guidelines so contributors know what they're getting into.
The other side of the coin is that many real bug reports are dismissed out of hand. That is frustrating if you have spent hours or days triaging an issue and have submitted a well-written bug report. It would be useful if projects advertised what their de facto bug report policy is. If it involves snide remarks and pointless bureaucracy ("you did not check this box") then that should be stated to help others avoid wasting time. Perhaps an LLM could help with that: "The likelihood of an external bug report being acted upon is X%, given analysis of past interactions on bug tracker."
It's Hacktoberfest all year long, baby!
I mean, if people adopt, I guess they can also flood the discussions with LLM nonsense. But for now it seems like the better solution.
i f8cking hate being born here.
volume of low quality content, dsa/leetcode, etc. is so high, good people/content gets left out. networking, connections, nepotism so much high. getting job based on actual talent very rare.
MNCs which are good outside are so much sh8t here; well capitalism doesn't give a f8ck anyways.
> capitalism doesn't give a f8ck anyways
It doesn't until suddenly it does. A glut of junk can eventually trigger a flight to quality.
Sadly, possibly not on a timeline which works for a given individual.
>Indian students
How do you know this?
Because their usernames are Indian and profiles have links to Indian universities, and sometimes descriptions of the 101 classes they're currently taking. That doesn't stop them from saying things like "I see this sort of vulnerability all the time"
Apologies - looks like you have clear evidence for the "student" part.
Ever been on Stack Overflow before LLMs became a thing?
Sir, I agree with moralestapia. Not a singular one of the 20 lakh lines in the PR were written by ChaiGPT.
Lol. I found it of interest since it's quite hard to make an LLM write like a stereotypical Indian.
If I was an Indian student, I would prompt it to avoid that style instead of keeping it.
Also, generally, people can just make stuff up on the internet so ...
"Students" sounds very speculative. "Indian" likely based on usernames, which are often a South Asian first name followed by a random integer.
Why you don’t just put an AI guardian to close or to ask them to change the story. Or shadow ban
Subjecting every real contributor to the "AI guardian" would be unfair, and shadow banning is ineffective when you're dealing with a large number of drive-by nuisances rather than a small number of dedicated trolls. Public humiliation is actually a great solution here.
> Subjecting every real contributor to the "AI guardian" would be unfair
Had my first experience with an "AI guardian" when I submitted a PR to fix a niche issue with a library. It ended up suggesting that I do things a different way which would have to involve setting a field on a struct before the struct existed (which is why I didn't do that in the first place!)
Definitely soured me on the library itself and also submitting PRs on github.
How effective is it against people who just simply does not care?
I suspect people are doing it to pad their resume with "projects contributed to" rather than to troll the maintainers, so if they're paying any attention they probably do care...
Most people do, and those who don't still get banned so...
what you say, is of course the only relavent issue. I can attest to my own experiences on both sides of this situation, one running a small business that is bieng inundated by job seekers who are sending AI written letters and resumes, and dealing with larger companys that have excess capacity to throw at work orders, but an inability to understand detail, AND, AND!, my own fucking need to survive in this mess, that is forceing me to dismiss certain niceties and adhearance to "proffesional" (ha!), norms. so while the inundation from people from India(not just), is sometimes irritating, I have also wrangled with some of them personaly, and under all that is generaly just another human, trying to make by best they can, so....
You could easily guard against bullshit issues. So you can focus on what matters. If the issue is legit goes ahead to a human reviewer. If is run of the mill ai low quality or irrelevant issue, just close. Or even nicer: let the person that opened the issue to "argue" with the ai to further explain that is legit issue for false positives.
How is an llm supposed to identify an llm-generated bullshit issue...? It's the fox guarding the henhouse.
Just try and you'll see if it can work. Just copy paste some of these issues give context of the project and ask if makes sense
the only way to stop a bad guy with a llm is with a good guy with a llm
That's just shoveling money to tech companies
I intensely dislike the idea that we need more AI in order to deal with AI.
If I ever need to start using an AI to summarize text that someone else has generated with AI from a short summary, I'm gonna be so fucking done.
I relate, and then realized that's been the basis of spam handling for decades now. It's depressing, and we aren't putting this genie back in the bottle unfortunately.
How so?
Spam, for decades, has been a matter of just shoveling truckloads of emails out the door and hoping that one or two get a gullible match.
Blocking spam, for decades, has been a matter of heuristic pattern-matching.
I don't see how that is the same as "fighting LLMs with LLMs", or how it could be said to be the same as how spam is made and used.
You're done dude. I'm sure it's already happening.
What are you going to do now?
It's not happening because I'm not using an AI to summarize text. At the moment slop text is also fairly easy to recognise, so I can just ignore it instead.
It's not already happening as of today? You can adapt or... You heard of Darwin right?
It sounds funny, but it's not. I once issued a bug to them that didn't have enough information about how to reproduce... and I was lambasted on Reddit and eventually just deleted my account there it was so terrifying. Some dev teams do not mess around. In fact I've shied off most social media since and no longer issue bug reports to any company, I was scarred deep over the treatment.
I've read their reports before. When there's not enough information to reproduce, they do a good job of asking for more information first, and I've never seen a reasonable good-faith report elicit anything overt.
If you failed to give them proper reproduction information when asked, then yeah, you were wasting their time and they should rightfully close your issue.
I've never seen anyone on the curl team undeservedly "lambast" someone, and for a project that has a quite good reputation, I think the burden of proof is on you. Can you link to these supposedly terrifying comments?
What was the bug?
Long time ago Sourceforge and then GitHub promoted into the current default the model of open source distribution which is not sustainable and I doubt it is something that the founding fathers of Free Software/Open Source had in mind. Open source licenses are about freedom of using and modifying software. The movement grew out of frustration that commercial software cannot be freely improved and fixed by the user to better fit the user's needs. To create Free software, you ship sources together with your binaries and one of the OSI-approved licenses, that is all. The currently default model of having an open issue tracker, accepting third party pull requests, doing code reviews, providing support by email or chat, timely security patches etc, has nothing to do with open source and is not sustainable. This is OK if it is done for a hobby project as long as the author is having fun doing this work, but as soon as the software is used for commercial, production critical systems, the default expectation that authors will be promptly responding to new GitHub issues, bug reports and provide patches for free is insane. This is software support, it is a job, it should be paid.
> I doubt it is something that the founding fathers of Free Software/Open Source had in mind.
Free Software sure, that wasn't the point.
Open Source, that was exactly the point. Eric S Raymond, one of the original promoters of the concept of Open Source coined Linus' Law:
Given enough eyeballs, all bugs are shallow
> the default expectation that authors will be promptly responding to new GitHub issues, bug reports and provide patches for free is insane.
I think there are many insane expectations out there, open source or not, so I don't personally see it that linked with the idea/ideal of open source.
> This is software support, it is a job, it should be paid.
Anything can be paid, nobody says otherwise. Some people prefer nobody pays for their source code (open source). Other people do support for free. And so on.
> The currently default model of having ... has nothing to do with open source and is not sustainable.
There were always arguments why open source will not be sustainable, many having some truth in them. But the current issue can be probably solved with some push-back on the speed of things or how attribution works. Something similar used to happen on some forums: you can't post a new thread for one month if you did not reply at least once without getting down-voted. For the current problem : if contributions are anonymous for the first 3 years of you contributing (if you are not banned) and your name becomes public only after, then all this "noise" for "advertisement" will die. Doubt this will discourage any well intentioned contributor.
has nothing to do with open source
long time ago
How long does something have to be done a certain way for it to be "to do with"?
I would say we're now two generations deep of software engineers who came up with open source software commonly being mediated through public issue trackers.
That isn't to say it needs to stay that way, just that I think a lot of people do in fact associate public project tracking with open source software.
Seems like a lot of the problems had by the low friction of first eternal september and now LLM genrated reports and contributions, could be resolved by restoring friction. First time reporters/contributers could be required to send their report or PR by paper mail. Strict requirements for the sender: all text printed on postcards (no letter opening) as QR or other data codes according to a standard formatting. Anything even slightly off goes straight to the trash, high signal/interest contributors can still get their foot in the door.
It is a bit naive to expect Indian students to even know about /security.txt existence, let alone reading it.
The new era of AI.
Everybody saw it coming. Frankly I'm surprised it took this long.
Ah, brings back memories when TPB did something similar to when MPAA and their "associates" emailed them. I think this is probably the best page where one could still see them: https://web.archive.org/web/20111223101839/http://thepirateb...
I'm not sure it helped in the end, afaik they did it since like 2003 until some years after the raid, but it still seemed like they didn't get the message and kept trying anyways, which from their perspective makes sense but still.
I think this is probably less effective than if there was some sort of "credit" or reputational score for reporting that seems like something GitHub would have the information to implement.
> seems like something GitHub would have the information to implement.
But not the motivation. GitHub incentives this type of behaviour, they push you to use their LLMs.
GitHub is under Microsoft’s AI division.
https://www.geekwire.com/2025/github-will-join-microsofts-co...
> GitHub is under Microsoft’s AI division.
Finally an explanation to why GitHub suddenly have way more bugs than usual for the last months (year even?), and seemingly whole UX flows that no longer work.
I don't understand how it happens, do developers not at least load the pages their changes presumable affects? Or is the developers doing 100% vibe-coding for production code? Don't get me wrong, I use LLMs for development too, but not so I can sacrifice quality, that wouldn't make much sense.
Why no go the other direction and make it hard to identify a user, so people do not do it for fame. Open source worked before people were using it as self advertisement.
Might even be good for Microsoft - they would be the only one knowing who is who.
This already exists on the previous platform curl was using (HackerOne), it does not prevent the slop.
At my previous employer, I had access to the company’s bug bounty submissions and I can assure you no matter what you try to do, people will submit slop anyway. This is why many companies will pay for “triage services” that do some screening to try to ensure that the exploit actually works.
Unfortunately this means that the first reply to many credible reports are from people who aren’t familiar with the service, meaning that reports often take a long time to be triaged for no reason other than the fact that the reporter assumed that the person reviewing the report would actually understand the product. It’s hard to write good, concise reports if you can’t assume this fact.
Honestly, I don’t know what can be done to fix all of this. It’s a bad situation for everyone involved, and only getting worse.
I think one of the last thing I'd like on the web is for Microsoft to start keeping a "social score" for developers who participate in FOSS.
I understand where it's coming from, and I too think the current situation sucks, but making Microsoft responsible for something like that is bound to create bad times for everyone involved.
I’d hate to see GitHub assigning reputation to users.
Yeah this seems like a good idea. Plenty of games have "you have to have this much reputation to play in ranked games" sort of things.
I guess people would complain if it was tied to Github.
I am friends with a solo maintainer of a major open source project.
He repeatedly complains that at the beginning of some semester, he sees a huge spike of false/unproveable security weakness reports / GutHub issues in the project. He thinks that there is a Chinese university which encourages their students to find and report software vulns as part of their coursework. They don’t seem to verify what they describe is an actual security vuln or that the issue exists in his GitHub repo. He is very diligent and patient and tries to verify the issue is not reproducible, but this costs him valuable time and very scarce attention.
He also struggles because the upstream branch has diverged from what the major Linux distribution systems have forked/pulled. Sometimes the security vulns are the Linux distro package default configurations of his app, not the upstream default configurations.
And also, I’m part of the Kryptos K4 SubReddit. In the past ~6 months, the majority of posts saying “I SOLVED IT!!!1!” Are LLM copypasta (using LLM to try to solve it soup-to-nuts, not to do research, ideate, etc). It got so bad that the SubReddit will ban users on first LLM slop post.
I worry that the fears teachers had of students using AI to submit homework has bled over into all aspects of work.
As a human being I really enjoy knowing things and being challenged to grow.
While crypto style AI hype man can claim Claude is the best thing since sliced bread the output of such systems is brittle and confidently wrong.
We may have to ride out the storm, to continue investing in self learning as big tech cannot truly spend 1.5 trillion on the AI investment in 2025 without a world changing return on revenue, a one billion revenue last year from OpenAI is nothing.
In china medical students are required to publish original papers. Instead they just pay someone to write it for them and pollute the literature.
So much for the curation argument of the price justification of professional journals.
The typical graduation-requirement paper doesn't get published in a professional journal, so I think professional journals do provide significant curation.
Medical? What's the point? I'm happy with 98% of doctors being able to handle known conditions and only the few percent that are really interested to do research.
>I worry that the fears teachers had of students using AI to submit homework has bled over into all aspects of work.
As one does in academia, so to the market, because now we have financial incentive. It ain't going to stop.
I think this is the perfect application of a micro payment service. Each PR must be signed with a nominal amount of money, say $0.15 give or take. You send in a commit, with no expectation to get it back.
Context: [1, 2]
> Open source code library cURL is removing the possibility to earn money by reporting bugs, hoping that this will reduce the volume of AI slop reports.
> cURL has been flooded with AI-generated error reports. Now one of the incentives to create them will go away.
[1] https://news.ycombinator.com/item?id=46701733
[2] https://etn.se/index.php/nyheter/72808-curl-removes-bug-boun...
Money for a report and a patch, with convincing test cases, might be worthwhile. Even if a machine generates them.
Not necessarily. Reviewing an issue report is already enough time. Reviewing a patch is even more developer time.
The problem they had before was a financial incentive to sending reports, leading to crap reports that wasted time to review. Incentivizing sending reports + patches has the same failure mode, but they now have to waste even more time to review the larger quantity of input.
Anyway, for most cases I'd bet that Daniel can produce and get reviewed a correct patch for a given security bug quicker than the curl team can review a third-party patch for the same, especially if it's "correct, but ai-written".
> Even if a machine generates them.
Why? If it is a purely machine generated report there is no need to have dozens of third parties that throw them around blindly. A project could run it internally without having to deal with the kind of complications third parties introduce, like duplicates, copy paste errors or nonsensical assertions that they deserve money for unrelated bugfixes.
A purely machine generated report without any meaningfull contribution by the submitter seems to be the first thing you would want to exclude from a bug bounty program.
I've read this idea that we could make people pay for security reports a few times here on HN (and you get back the money if the report is deemed good). That feels very wrong.
If I find a security issue, I'm willing to responsibly disclose it, but if you make me pay, I don't think I will bother.
Punishing bad behavior to disincentivize it seems more sensible.
For a person finding bugs for a living, an up-front fee to have their report reviewed by a maintainer would amount to an investment towards receiving a bug bounty if their report is valid and valuable. Just the cost of doing business.
It would discourage drive-by reports by people who just happened to notice a bug and want to let the maintainers know, but I think for a project that's high-profile enough to be flooded by bogus bug reports, bugs that random users just happen to notice will probably also get found by professional bug hunters at some point.
Punishing bad behaviour does close to nothing, because the problem at hand is one of high asymmetry between the low effort to submit vs the high effort to review. I do agree that paying for reports isn't ideal, and we should find other ways to level the playing field, but in the meantime I haven't heard of anything as effective.
> the problem at hand is one of high asymmetry between the low effort to submit vs the high effort to review
Hence the threat to shame publicly I suppose.
Actually, Daniel Stenberg previously responded to this proposal the same way as me [1] (and maybe would still do). Coincidentally, I was reading your answer at about the same time as this part of the talk.
[1] https://www.youtube.com/watch?v=6n2eDcRjSsk&t=1823s (via https://news.ycombinator.com/item?id=46717556#46717822)
Doesn't work when using throwaway accounts, the low effort gets only marginally higher.
> Even if a machine generates them.
That sounds wonderfully meritocratic, but in the real world, a machine generating it is a very strong signal that it's bullshit, and the people are flooding maintainers using the machines. Maintainers don't have infinite time.
To be clear, no, it is not, because of the opportunity cost of all the other slop. That's what this is all about.
Then no bug reports and no fixes. Sounds good enough.
Of course there are still bug reports and fixes without financial compensation. The proof is all of open-source, including cURL.
They'll still get bug reports and fixes from people who actually give a shit and aren't just trying to get some quick money.
- I notice a lot of stuff in github issues all the time
- For example, there is this +1 comment pasted like 500 times that I have seen a lot over issues
- Cant we have a github regex bot of sorts ^(\W+)?\+(\W+)?1(\W+)?$ that removes all such comments? or let the author of the repo control what kind of regex based stuff to remove?
- I know regex kind of sounds old fashioned in the age of LLMs but it is kinda simple to manage and doesnt require crazy infra to run
There's going to be avalanches of code everywhere. You can no longer expect some human to know what some code does or maintain it.
I deeply dislike your comment
Having an overly long captcha for bug bounties / reports may be the one place where it serves a purpose
The policy link[0] page still has a link to the bug bounty program[1] which still discuss monetary compensation.
Although it's not mentioned in those, it's going away at the end of the month: https://news.ycombinator.com/item?id=46701733 https://news.ycombinator.com/item?id=46678710
Creating crap vuln reports or PRs on popular OSS projects has been an issue long before LLMs. Remember Hacktoberfest?
Students would often abuse it since there’s no adult in the room to teach them how to behave. I guess this is one hard way to f around and find out. But this is by no means condoning this sort of behavior.
Point is, LLMs made the situation more dire: it’s cheap to generate code, whereas reviewing still scales sublinearly. The only way to prevent this is by being rude to people who are rude to you.
It's never fine to be rude.
Moving off github into a more niche platform was the best choice I have ever made to curb such zero-effort issue and feature requests. It raises the barrier just enough.
On the other hand, I'm a dev, and I hate the "start a discussion first" gatekeeping. I participated in projects where the approach is to start a discussion on a forum first, and I get the same feeling you have as a tech guy calling ISP support on the phone.
The discussion requirement is often to prevent disappointment, waste of time, and anger, when maintainers simple close PRs, because it's not the direction they want the project to go. A lot of people will take this very personally, so it's much better to have a conversation about it beforehand.
Every site and every service is going to be swamped with AI-generated slop and will have to deal with it by banning it, and then detecting and deleting it.
This was entirely predictable. When you give everyone the ability to be good at something with no effort, everyone is going to do it (and think they are the first).
My partner recently bought a book from Amazon, and when it arrived, I looked at the cover, flicked through it, and said it was AI slop. She complained to Amazon, and they just refunded her, no questions asked, and the book went in the fire.
Nice. But it deters people like me who aren't totally confident in sending reports, trading false positives for false negatives
Can anyone tell me in 2025 how much big tech made in revenue from AI..
Somehow, I knew this would be curl before finishing reading the headline. Good on them!
I was going to add “cURL: “ at the start of the title, but it didn’t fit. The current title is exactly the allowed length, so it seemed more appropriate to keep the message verbatim.
Links to all those crap reports: https://gist.github.com/bagder/07f7581f6e3d78ef37dfbfc81fd1d...
(from https://daniel.haxx.se/blog/2025/07/14/death-by-a-thousand-s...)
they're suffering from this big time: https://www.youtube.com/watch?v=6n2eDcRjSsk&t=2453s
This note isn't going to stop even 1% of the jackasses who would have submitted AI slop.
There are much better ways to communicate the intended message. This comes off as childish to me and makes me think that I'd rather not contribute to the project.
It's been an issue for a while and it's even bigger now in the age of AI. Lots of people use security as a way to "have their moment" and don't really care about adding value.
But scaring people off from security reports also isn't a great idea either.
> We will ban you and ridicule you in public if you waste our time on crap
If shame worked, then slop reports would've stopped being made already. Public ridicule only creates a toxic environment where good faith actors are caught up in unnecessary drama because a maintainer felt their time was being wasted. Ban them, close your bug bounty program, whatever, but don't start attacking people when you feel slighted because that never ends well for anyone (including curl maintainers)
It worked well for me when people were stealing my articles, pretending they wrote them. One tweet or mention in Linkedin and the article is gone.
Plagiarism is much different than collaborating on open source projects but I'm glad that calling them out worked.
Test your hypothesis by attaching your offline name to your internet profiles.
That's sort of the whole point of this thought exercise, no? If shame worked in an environment with anonymous/pseudonymous users, then we wouldn't be here. The only people you stand to harm are the ones who attach their real identities to their profile (and they're more likely to be good faith IMO)
Besides, I've seen plenty of profiles here on HN who advertise their real name and espouse (in my view) awful takes that would most likely not fly in real life. I'd recommend reading this article[0] for an example of when people, with their real names exposed, can still cause a shitstorm of misunderstanding.
This is 100% true. I've seen this happen over and over again.
Shaming does not work, you look like an idiot, people will start to despise you and then you end up ostracizing yourself from the rest of the community and the only ones left within your bubble, are circle jerk assholes.
It's one of those cases where you end up causing more harm than the ones you were complaining about.
Just pathetic behaviour.
I like the idea of refundable submission fee for bug bounties. No refunds for slop and poorly researched submissions.
Fair enough.
Dog whistle to AI. Love it.
This is great actually. I can feel the sentiment of the slop they've had to deal with.
Fair play to them.
Why is cURL specifically receiving so many slop contributions? Or is this a recent phenomenon for every open-source project, and cURL are the ones most spoken of? First time commenting on HN!
They offered a bug bounty, so people think "let me just use ChatGPT to make money for myself".
But from I hear it affects other projects too. It affected curl more because with the bug bounty they actually need to invest work and look at those.
[1] https://daniel.haxx.se/blog/2024/01/02/the-i-in-llm-stands-f...
[2] https://daniel.haxx.se/blog/2025/07/14/death-by-a-thousand-s...
cUrl as a project has a lot of conceptual attack surface for someone looking to find _anything_.
It is large, very popular (hence impact) and written in C. It supports many many many protocols with all of their real-world implementation quirks. Obscure or mainstream. And always handling user-controlled data.
If your motivation is a cool CVE for your CV, you'd pick such a project as the target of your efforts.
One way this can backfire: if you have no reputation and are nobody, and get banned and publically ridiculed, this is now a badge of honor you can take to wealthy and deluded people convinced of the AI future, to say 'look, I have been shot at! I'm a true believer!'
And then maybe they will give you money.
Only if there's a wealthy political group that hates the thing you just got ridiculed by. When you get expelled from a climate conference you can become a right-wing figurehead, but when you get expelled from the cURL vulnerability program, nobody cares.
lol, fair and square
From https://curl.se/docs/code-of-conduct.html:
"As contributors and maintainers of this project, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities"
Why have a code of conduct while being hostile to contributors?
I think they should handle this differently.
I don't think that telling a LLM to create a fake bug report is "contributing".
Perhaps because they are not really contributors, so it doesn't apply.
Then they should exclude specific groups from their CoC.
"You can't be a contributor if you're an Indian using AI".
I don't think this is the way ..
The simpler part is to say that AI generated text / code is not a contribution and will be banned if found, probably.
You won't get a hundred percent hit rate on identifying it, but it at least filters really low effort obvious stuff?
all curl team came here to downvote you, don't be so cruel :D
Heh.
I understand they people hate to to waste time. They should just be polite about it.
Or you know .. update or delete the CoC.