Autonomous artificial intelligence (AI) agents are pouring large volumes of security flaw reports onto open source project maintainers, increasing their burden.

Axios recently reported that most reports lack specific evidence and are at a level where reporters cannot answer follow-up questions, adding to maintainers' difficulties.

The situation has worsened with the emergence of the open source autonomous agent OpenClaw. It allows users to automatically analyse open source code and automatically submit bug reports to maintainers.

Christopher Robinson (크리스토퍼 로빈슨), chief technology officer at the Open Source Security Foundation, said cases are increasing in which reporters cannot answer maintainers' follow-up questions. He said it is a sign that AI is finding issues or that AI agents are automating the entire process.

Axios said well-known open source projects received an average of 2 to 3 bug reports a week. Less well-known projects received 1 a month. But the situation has changed sharply. It said some projects receive hundreds at a time.

Robinson said maintainers must spend 2 to 8 hours on reviews, and that time is not compensated anywhere.

As the situation has become serious, some maintainers have shut down bug bounty programmes themselves. Others block people who submit what they call "bad reports generated by AI".

Daniel Stenberg (다니엘 스텐버그), maintainer of the well-known open source project curl, ended a bug bounty programme after being plagued by piles of AI-generated reports. Fewer than 5 percent of reports submitted in 2025 were valid.