For this market to resolve YES there must be a CVE with score >= 8/10, which is documented as being caused by AI generated code. Attacks against the code generation process itself do not count.
Looking for things in the spirit of this study, but there might be some judgement over what counts.
The title says "major" but the body only says the score needs to be high. I assume that means CVSS, which is a measure of severity as in "how pwned is the affected software" but the published score is independent of who uses the software and for what.
So AFAIK some random app on GitHub with 5 global installs could have a severity score of 9+. Would that resolve to yes or does "major" refer to real world impact?
Great question! I only care about the CVSS reported in the NVD. If a vuln for such a small library gets reported and scored and makes it into the database, then I'll count it. That said I do expect the burden of proof to be on YES, that is I intend to resolve NO unless someone finds a specific such vulnerability. I will try a reasonable amount to do so, but don't have a systematic way to find one.
No, because while many closed-source app developers may trust AI-generated code too much, open source developers either won't generate code or won't blindly trust it, and no-one will care enough about closed-source apps to create a CVE for them.
(I realise this belief is probably irrational and the dichotomy isn't 100%, and that's why I only bet M10 on this.)