cURL ends bug bounty program after surge of low-quality, AI-generated reports

The developer of the cURL networking tool is scrapping its vulnerability reward program after being overrun by a spike in low-quality submissions, much of it AI-generated slop, Daniel Stenberg, the project's founder and lead developer, said Thursday.

Stenberg said the project is small with a limited number of active maintainers and that it cannot change how "all these people and their slop machines work," adding the decision was needed "to ensure our survival and intact mental health."

Some cURL users said the move treats symptoms caused by AI slop without addressing the cause and worried it would remove a key means of maintaining the tool's security; Stenberg largely agreed but indicated his team had little choice. In a separate post he wrote, "We will ban you and ridicule you in public if you waste our time on crap reports."

An update to cURL's official GitHub account made the termination official, and the program will end at the end of this month. cURL was first released three decades ago as httpget and later urlget and has become an indispensable tool for administrators, researchers, and security professionals for tasks including file transfers, troubleshooting buggy web software, and automation. As a widely used tool for interacting with vast amounts of data online, security is paramount, and project members have relied on private bug reports and paid cash bounties for high-severity vulnerabilities.

Key Topics

Tech, Curl, Daniel Stenberg, Bug Bounty, Ai Reports, Github