Dries Buytaert: AI Is Adding Work, Not Relief, for Open Source Maintainers

Dries references the curl project, where maintainer Daniel Stenberg recently ended a longstanding bug bounty program due to a flood of low-value, AI-generated reports. In 2025, fewer than one in twenty submissions uncovered a valid issue, yet each one demanded hours from a small security team. The experience left maintainers frustrated and exhausted. Although Drupal lacks a bug bounty, it offers other incentives, such as contribution credit and visibility, which can also attract low-quality input. The result is a quiet but rising strain on those tasked with evaluating what gets merged.

Maintainers in the Drupal ecosystem express unease about AI for several reasons, including environmental costs, the dilution of craft, and unresolved legal and ethical concerns. Even when contributions are well-meant, the sheer volume and inconsistency of AI-assisted work can be demoralising. Buytaert notes this has caused hesitation around new initiatives that might attract more code without expanding review capacity. He sees this as a critical tension between the need to protect maintainers and the pressure to keep pace with other platforms.

He describes his own position as one caught between two truths: that maintainers are vital and must be shielded from burnout, and that slowing innovation risks making Drupal less relevant. He openly supports AI as a development tool, citing personal success and improved productivity among experienced contributors. But he insists that belief must be tested through results, not assumptions.

To illustrate AI’s potential when used well, he points to researcher Joshua Rogers, whose AI-assisted code analysis produced dozens of valid fixes for curl, and to AISLE, a security firm that used AI to uncover multiple zero-day vulnerabilities in OpenSSL. These examples, he argues, show that the problem is not AI itself, but how and why it is applied. AI used to replace expertise often fails. AI used to amplify it can deliver real value.

Dries endorses a cautious approach rooted in experimentation and transparency. Contributors should test AI tools on their own work, report what helps and what doesn’t, and avoid imposing expectations on others until value is clear. He praises Stenberg’s method of privately testing AI tools before recommending them. Trust, he writes, must be earned through visible results. Drupal contributors are invited to share AI findings in a dedicated issue queue, and Buytaert commits to documenting what emerges, whether it succeeds or not.

He closes with a principle: protect your maintainers. Without them, Open Source fails. AI may one day lighten their load, but until then, no change should add to their burden without offering measurable relief. Buytaert believes AI can help Drupal thrive, but only if adoption is grounded in care, collaboration, and proof.