cURL scraps bug bounties as AI slop overwhelms security team with fake vulnerability reports

Overrun with AI slop, cURL scraps bug bounties to ensure "intact mental health"

The project developer for one of the Internet's most popular networking tools is scrapping its vulnerability reward program after being overrun by a spike in the submission of low-quality reports, much of it AI-generated slop. "We are just a small single open source project with a small number of active maintainers," Daniel Stenberg, the founder and lead developer of the open source app cURL, said Thursday. "It is not in our power to change how all these people and their slop machines work. We need to make moves to ensure our survival and intact mental health." Manufacturing bogus bugs His comments came as cURL users complained that the move was treating the symptoms caused by AI slop without addressing the cause. The users said they were concerned the move would eliminate a key means for ensuring and maintaining the security of the tool. Stenberg largely agreed, but indicated his team had little choice. In a separate post on Thursday, Stenberg wrote: "We will ban you and ridicule you in public if you waste our time on crap reports." An update to cURL's official GitHub account made the termination, which takes effect at the end of this month, official. cURL was first released three decades ago, under the name httpget and later urlget. It has since become an indispensable tool among admins, researchers, and security professionals, among others, for a wide range of tasks, including file transfers, troubleshooting buggy web software, and automating tasks. cURL is integrated into default versions of Windows, macOS, and most distributions of Linux. As such a widely used tool for interacting with vast amounts of data online, security is paramount. Like many other software makers, cURL project members have relied on private bug reports submitted by outside researchers. To provide an incentive and to reward high-quality submissions, the project members have paid cash bounties in return for reports of high-severity vulnerabilities. Last May, Stenberg said the number of low-quality AI-generated reports was putting a strain on the cURL security team and was likely to metastasize, hampering other software developers. "AI slop is overwhelming maintainers *today* and it won't stop at curl but only starts there," he said at the time. The lead developer has also posted a page listing some of the specious reports submitted in recent months. In response to one such report, a cURL project member wrote: "I think you're a victim of LLM hallucination." The member continued: The text has some similarities to the (bogus) CVE-2020-19909 and other reports. There are plenty of clues that Bard has manufactured bogus information: that code snippet of "curl_easy_setopt" doesn't match the actual signature of the function (and wouldn't even compile), a changelog that don't match reality, and more indications that this is completely bogus. I'm curious to hear what your exploit does against a made-up vulnerability. Care to share it? After the bug reporter complained and reiterated the risk posed by the non-existent vulnerability, Stenberg jumped in and wrote: "You were fooled by an AI into believing that. In what way did we not meet our end of the deal? Stenberg isn't critical of AI-assisted bug reports in all cases. In September, he publicly applauded a researcher for sending a "massive list" of bugs that were found using a set of AI-assisted tools. The reports had resulted in 22 bug fixes at the time. In an interview, Stenberg said that the reporter, Joshua Rogers, mostly used AI-powered code analyzer called ZeroPath. "A clever person using a powerful tool," Stenberg wrote. "I believe most of the worst reports we get are from people just asking an AI bot without caring or understanding much about what it reports." Unfortunately, such cases seem to be the exception. AI slop has already flooded music-streaming services with so many songs -- often misattributed to real artists -- that the platforms are slowly becoming unusable for music discovery. cURL's move may be an early indication that something similar is happening to bug bounty programs.

Curl will stop bug bounties program due to avalanche of AI slop

* Curl ends HackerOne bug bounty due to fake and AI-generated vulnerability reports * Developers say incentives led to abuse, overwhelming the security team with invalid submissions * From February 2026, bug reports move to GitHub with no financial rewards The developers of curl, the open source command-line tool and software library, are killing their HackerOne bug bounty program because they are being flooded with fake problems and vulnerabilities. In a new advisory published on GitHub, it was said that the program is being sunsetted at the end of January, 2026. "Up until the end of January 2026 there was a curl bug bounty. It is no more," the document reads. "The curl project no longer offers any rewards for reported bugs or vulnerabilities. We also do not aid security researchers to get such rewards for curl problems from other sources either." Straining the security team The document then describes the state of the bug bounty program which, apparently, did not serve its purpose: "We have concluded the hard way that a bug bounty gives people too strong incentives to find and make up "problems" in bad faith that cause overload and abuse. We still appreciate and value valid vulnerability reports." Citing curl's founder and lead developer, Daniel Stenberg, BleepingComputer reported that the problem is that "researchers" are using Generative Artificial Intelligence (GenAI) to create "AI slop" reports. The same source says Stenberg recently mailed his followers, explaining how these poor reports are hurting the security team: "We started out the week receiving seven HackerOne issues within a sixteen-hour period. Some of them were true and proper bugs and taking care of this lot took a good while. Eventually we concluded that none of them identified a vulnerability and we now count twenty submissions done already in 2026," Stenberg said. "The main goal with shutting down the bounty is to remove the incentive for people to submit crap and non-well researched reports to us. AI generated or not. The current torrent of submissions put a high load on the curl security team and this is an attempt to reduce the noise." As of February 2026, all bug reports will go directly through GitHub and will not be paid for. Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button! And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.