Curl Ends Bug Bounty Program After Flood of AI-Generated Reports

The curl project, a cornerstone of internet data transfer, is ending its formal bug bounty program. The decision comes after its security team was inundated with a flood of low-quality, often AI-generated vulnerability reports that provided little value but consumed significant time and effort to evaluate.

Daniel Stenberg, curl's founder and lead developer, announced the change in a pending update to the project's BUG-BOUNTY.md documentation. Once merged, the file will state that the curl project no longer offers rewards for reported bugs or vulnerabilities and will not assist researchers in obtaining compensation from other sources. The program, run through HackerOne and the Internet Bug Bounty since 2019, offered cash rewards for responsibly disclosed security issues in the curl command-line utility and its associated libcurl library.

The core issue is what Stenberg describes as "AI slop"—a torrent of low-effort, AI-generated content that sounds plausible but lacks substantive analysis or valid findings. In a recent post to his personal mailing list, Stenberg detailed the strain this places on the project's small team of maintainers.

"We started out the week receiving seven Hackerone issues within a sixteen hour period. Some of them were true and proper bugs, and taking care of this lot took a good while. Eventually we concluded that none of them identified a vulnerability and we now count twenty submissions done already in 2026," Stenberg explained. "The main goal with shutting down the bounty is to remove the incentive for people to submit crap and non-well researched reports to us. AI generated or not. The current torrent of submissions put a high load on the curl security team and this is an attempt to reduce the noise."

The problem appears to be specific to curl's program. Stenberg noted that while other open-source projects on HackerOne have not seen a similar spike, curl's submission rate increased steeply throughout 2025. This disparity suggests that the project's high profile and the financial incentive of the bounty may have made it a prime target for automated report generation.

For a project like curl, which is embedded in countless applications and operating systems worldwide, security is paramount. However, the volume of noise makes it difficult for legitimate researchers to get attention and for the team to focus on real threats. Stenberg emphasized that curl is a small project with limited active maintainers, and protecting their mental health and ensuring the project's long-term survival necessitated the change.

The transition away from HackerOne will be phased. The project will continue to accept submissions through the platform until January 31, 2026, and will process any reports already in the pipeline. Starting February 1, 2026, researchers must report security issues directly through GitHub. This shift to an internal, direct submission process is intended to filter out the automated spam and allow the team to focus on quality reports.

The project's updated stance is also reflected in its security.txt file, which now explicitly states that no monetary compensation is offered. It also includes a stark warning: individuals who submit "crap" reports will be banned and ridiculed publicly. Stenberg plans to publish a more detailed blog post next week to outline the new reporting process and expectations for researchers.

This situation underscores a broader challenge facing the open-source ecosystem. As AI tools become more accessible, the barrier to generating seemingly technical reports has lowered, leading to an increase in low-quality submissions. For maintainers of critical infrastructure projects, this creates a significant operational burden. The curl project's decision to eliminate the financial incentive may serve as a case study for other projects grappling with similar issues, forcing a reevaluation of how bug bounty programs are structured in an era of AI-assisted report generation.