tech

January 23, 2026

Overrun with AI slop, cURL scraps bug bounties to ensure "intact mental health"

The onslaught includes LLMs finding bogus vulnerabilities and code that won’t compile.

Overrun with AI slop, cURL scraps bug bounties to ensure "intact mental health"

TL;DR

  • cURL, a popular open-source networking tool, is terminating its vulnerability reward program.
  • The decision is driven by a surge in low-quality, AI-generated bug reports that are overwhelming the small maintenance team.
  • Lead developer Daniel Stenberg cited the need for project survival and maintainer mental health as reasons for the closure.
  • Users are concerned about the program's termination impacting the security of the tool.
  • cURL, released 30 years ago, is an indispensable tool integrated into major operating systems like Windows, macOS, and Linux.
  • The project has previously rewarded high-quality bug reports with cash bounties.
  • Stenberg differentiates between low-quality AI spam and valuable reports generated using AI tools, commending one researcher for a significant list of bugs found with AI assistance.
  • The situation at cURL may foreshadow similar issues in other bug bounty programs due to AI-generated content.

Continue reading the original article