Curl ending bug bounty program after flood of AI slop reports
BleepingComputer • • technology
Key Points:
- The curl project will end its HackerOne security bug bounty program on January 31, 2026, due to being overwhelmed by low-quality, often AI-generated vulnerability reports that strain the small security team.
- After this date, curl will no longer offer monetary rewards for bug reports nor assist researchers in obtaining compensation from other sources, shifting to an internal submission process via GitHub.
- The decision aims to reduce the influx of poorly researched or invalid submissions, which have increased significantly compared to other open-source projects on HackerOne.
- The curl team warns that submitting low-effort or "crap" reports may lead to public ridicule and banning, emphasizing the need to protect maintainers' mental health and project sustainability.
- Founder
