news

cURL Halts Bug Bounties, Citing AI Spam and Mental Health Concerns

· Livio Andrea Acerbo

cURL Halts Bug Bounties, Citing AI Spam and Mental Health Concerns

Overrun with AI Slop, cURL Scraps Bug Bounties to Ensure “Intact Mental Health”

In a bold move to combat the flood of low-quality, AI-generated bug reports, the cURL project is shutting down its HackerOne bug bounty program by January 31, 2026, redirecting all future submissions to GitHub without financial rewards.[1][2][3][4] This decision, led by founder Daniel Stenberg, prioritizes the mental health of the small open-source team’s maintainers amid an overwhelming torrent of “AI slop.”[4][5]

The Rise of AI Slop in Bug Bounties

cURL, the ubiquitous command-line tool and libcurl library used for data transfers across protocols like HTTP, has powered countless applications since its inception.[4] Its bug bounty program, active since 2019 on HackerOne and the Internet Bug Bounty, paid out over $101,020 for valid vulnerabilities.[7] However, what began as a incentive for genuine security research devolved into a nightmare of junk submissions.

The influx started noticeably in May 2025, with bogus reports inundating HackerOne, forcing maintainers to sift through garbage.[1] Stenberg threatened bans for AI-generated slop, but the problem escalated into 2026. Just weeks into the new year, seven reports arrived in a 16-hour span during one week—some bugs, but no security vulnerabilities—and the tally hit 20 by Stenberg’s latest update.[1][5] These weren’t isolated; data showed cURL’s submission rate spiking in 2025 compared to other HackerOne-hosted open-source projects.[4]

Stenberg described the reports as “crap and non-well researched,” often AI-generated hallucinations lacking substance.[2][3][4] Processing them drained the security team’s time, verifying non-issues and debunking fakes.[3][5] In a GitHub pull request titled “BUG-BOUNTY.md: we stop the bug-bounty end of Jan 2026,” he removed all bounty references from documentation.[1][4][5] The project’s security.txt file now bluntly states: “Up until the end of January 2026 there was a curl bug bounty. It is no more.”[3][4] It warns of no rewards, no aid for third-party payouts, and public ridicule or bans for junk submitters.[1][4]

Why cURL Pulled the Plug: Incentives Gone Wrong

The core issue? Monetary incentives fueled abuse.[2][3][5] Bug bounties, designed to crowdsource security fixes, attracted opportunists—human or bot—churning out low-effort reports for quick cash.[6] Stenberg noted: “The main goal with shutting down the bounty is to remove the incentive for people to submit crap… AI generated or not. The current torrent… put a high load on the curl security team.”[2][3][4] As a small project with limited maintainers, cURL couldn’t sustain the triage burden.[4]

Stenberg acknowledged AI’s potential as a bug-hunting aid—citing strong reports it helped uncover—but the downside outweighed benefits when it enabled mass spam.[5] HackerOne submissions will process through January 31, 2026, but from February 1, everything shifts to GitHub or the mailing list, sans payouts.[1][3][4] He hopes genuine researchers continue reporting “actual security vulnerabilities,” even unpaid, though the future remains uncertain.[5]

This isn’t just about efficiency; it’s a mental health imperative. Stenberg emphasized protecting developers’ “intact mental health” in a resource-strapped open-source ecosystem.[4] Public shaming of “silly” reports will persist as a deterrent.[5]

Broader Implications for Open Source and Bug Bounties

cURL’s exit highlights a growing crisis in bug bounty ecosystems. AI tools democratize vulnerability discovery but flood programs with false positives and slop, taxing small teams.[7] On Hacker News, discussions revealed how “bug bounty slop works” for low-hanging fruit: automate scans, submit en masse, and pocket token payouts from outsourced triage.[6] Larger companies might absorb this, but projects like cURL cannot.

Other open-source initiatives on HackerOne haven’t seen the same surge, per Stenberg’s Mastodon post, suggesting cURL’s prominence made it a prime target.[4] Solutions floated include entry barriers, punishments for bad-faith reports, or expert blogs proving exploits—raising the bar beyond AI copy-paste.[6]

cURL plans a formal announcement soon, with Stenberg teasing a blog post for details.[1][4] Meanwhile, the security.txt update sends a clear message: quality over quantity.

What This Means for Security Researchers and Users

For researchers, the shift demands adaptation. No more easy money from cURL, but reputation via GitHub could shine brighter. Stenberg welcomes valid reports, urging focus on real issues.[5] Users of cURL—developers embedding libcurl in apps—benefit indirectly: maintainers regain bandwidth for core work, potentially speeding fixes.[4]

This saga underscores AI’s double-edged sword in cybersecurity. While accelerating hunts, unchecked generation erodes trust. cURL’s drastic step may inspire others, reshaping how open-source projects incentivize contributions.

In ending bounties, cURL bets on intrinsic motivation over cash. Will hackers step up? Time—and submission quality—will tell. Projects everywhere watch closely as AI reshapes the bug-hunting landscape.

(Word count: 812)


Original source: Ars Technica – Overrun with AI slop, cURL scraps bug bounties to ensure “intact mental health”

Comments are closed.

Search

Press Enter to search · Esc to close