curl Shuts Down Bug Bounty Program After Flood of AI Slop Reports

Curl, a widely used open-source project, announced it will terminate its bug bounty program by January 2026, ceasing the use of HackerOne for vulnerability reports while transitioning to its own disclosure process. This decision, led by curl creator Daniel Stenberg, was driven by a surge in low-quality, AI-generated reports that burdened maintainers without yielding valuable findings, reflecting a broader issue with bug bounty models that prioritize volume over substantive contributions. Maintainers have expressed frustration with the time-consuming nature of triaging these reports, which often cite non-existent code and unverifiable claims, leading to increased unpaid labor. This move aligns with similar actions by other open-source projects like Django and Node.js, which have also tightened their security processes in response to the overwhelming influx of automated submissions. Despite concerns from security researchers about the structural failures of bug bounty platforms, curl's decision highlights the need for open-source projects to manage their security workloads sustainably and effectively, with further measures like a possible paid entry system being considered if low-quality submissions persist.