Article Details

Curl shutters bug bounty program to remove incentive for submitting AI slop. Maintainer hopes hackers send bug reports anyway, will keep shaming ‘silly ones’. The maintainer of popular open-source data transfer tool cURL has ended the project’s bug bounty program after maintainers struggled to assess a flood of AI-generated contributions. Curler-in-chief Daniel Stenberg last week lodged a GitHub commit named “BUG-BOUNTY.md: we stop the bug-bounty end of Jan 2026”. Readers may recall that Stenberg started complaining about AI-generated bug reports in early 2024, and by mid-2025 contemplated killing the project’s bug bounty program. After receiving some strong bug reports that a developer found with help from AI, Stenberg acknowledged that AI can be a fine bug-hunting aid. Stenberg addressed his decision in a mailing message that opened with news that last week the project’s bug bounty scheme generated seven submissions and that while some identified bugs, none described a vulnerability. Figuring that out took “a good while.” He then expressed his hope that ending the bug bounty program will “remove the incentive for people to submit crap and non-well researched reports to us. AI generated or not.” “The current torrent of submissions put a high load on the curl security team and this is an attempt to reduce the noise.” Stenberg’s post also expresses his hope that developers continue to send reports of “actual security vulnerabilities … even if we do not pay for them.” “The future will tell,” he added, and perhaps reveal not just whether developers will share bug reports, but also if they are willing to risk public criticism if their submissions don’t meet Stenberg’s standards. Stenberg explained his stance in a section of the post that considers his policy of publicly shaming those who submit “silly AI-generated submissions” to the bounty program. In that section, he reveals a recent discussion with one of the people he criticized. “It was useful for me to make me remember that oftentimes these people are just ordinary misled humans and they might actually learn from this and perhaps even change,” he wrote. But Stenberg reserved the right to rage in public. “This is a balance of course, but I also continue to believe that exposing, discussing and ridiculing the ones who waste our time is one of the better ways to get the message through: you should NEVER report a bug or a vulnerability unless you actually understand it – and can reproduce it.” “If you still do, I believe I am in the right to make fun of – and be angry at – the person doing it,” he added, before conceding that he also needs to restrain himself on some occasions. “The person might be a teenage kid who did a single one-time mistake and will then move on in life and make excellent stuff in the future,” he wrote.