Hacker opinion piece: How lazy hacking killed cURL’s bug bounty

The closure of cURL's bug bounty program, announced by its creator Daniel Stenberg, highlights a growing challenge in the bug bounty ecosystem, where the misuse of AI tools has led to an influx of low-quality submissions. Despite AI's potential to aid in security research by accelerating reconnaissance and improving report drafting, its misuse has resulted in a surge of reports that appear technical but lack substance, which has overwhelmed cURL's small security team. This issue, dubbed "AI slop," has prompted cURL to shift its security reporting to a no-bounty model on GitHub, warning against low-effort submissions. The problem stems from individuals using AI to generate reports without understanding the vulnerabilities, rather than using it to enhance their skills. This has led to a decline in the signal-to-noise ratio of submissions, affecting legitimate hackers and organizations alike, and causing some open-source projects to consider stricter reporting barriers. The situation emphasizes the need for responsible use of AI in security research, where human judgment remains crucial, and highlights the importance of evolving bug bounty platforms to filter out noise and maintain trust in the community.