Lawsuit accuses AI security company of publishing hallucinated findings

Lawsuit accuses AI security company of publishing hallucinated findings

The case highlights a growing crisis of trust around AI-generated security research as false positives overwhelm the industry

Share

Add us on Google
by Editorial Team

The hallucination problem goes to court

AI hallucinations, the tendency of large language models to generate plausible-sounding but entirely fictional information, have been a known issue since ChatGPT first captured public attention. Lawyers have been sanctioned for citing fake case law generated by AI. Students have been caught submitting papers with fabricated sources.

Advertisement

Security research carries real consequences. A false vulnerability report can tank a company’s stock, trigger expensive remediation efforts, or destroy a product’s reputation. When those findings turn out to be hallucinated by an AI model rather than discovered by human researchers, the damage doesn’t magically reverse itself.

An industry drowning in false positives

cURL, one of the most widely used open-source tools in the world, shut down its HackerOne bug bounty program in January 2026. The reason was blunt: validity rates had cratered to below 5%. In English, that means fewer than 1 in 20 submitted vulnerability reports were actually real. The rest were AI-generated false positives, convincing enough to require human review but ultimately worthless.

AI vulnerability scanning tools have been documented producing false-positive rates as high as 80% in some assessments. Every false positive requires human analyst time to investigate and dismiss. Multiply that across thousands of reports and you’ve effectively created a system where AI generates busywork for the humans it was supposed to replace.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.
TECHNOLOGY

Lawsuit accuses AI security company of publishing hallucinated findings

Lawsuit accuses AI security company of publishing hallucinated findings

The case highlights a growing crisis of trust around AI-generated security research as false positives overwhelm the industry

by Editorial Team

Share

Add us on Google

The hallucination problem goes to court

AI hallucinations, the tendency of large language models to generate plausible-sounding but entirely fictional information, have been a known issue since ChatGPT first captured public attention. Lawyers have been sanctioned for citing fake case law generated by AI. Students have been caught submitting papers with fabricated sources.

Advertisement

Security research carries real consequences. A false vulnerability report can tank a company’s stock, trigger expensive remediation efforts, or destroy a product’s reputation. When those findings turn out to be hallucinated by an AI model rather than discovered by human researchers, the damage doesn’t magically reverse itself.

An industry drowning in false positives

cURL, one of the most widely used open-source tools in the world, shut down its HackerOne bug bounty program in January 2026. The reason was blunt: validity rates had cratered to below 5%. In English, that means fewer than 1 in 20 submitted vulnerability reports were actually real. The rest were AI-generated false positives, convincing enough to require human review but ultimately worthless.

AI vulnerability scanning tools have been documented producing false-positive rates as high as 80% in some assessments. Every false positive requires human analyst time to investigate and dismiss. Multiply that across thousands of reports and you’ve effectively created a system where AI generates busywork for the humans it was supposed to replace.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.