The curl project plans to end its HackerOne bug bounty program at the end of January, citing a surge in low-quality AI-generated vulnerability reports

The developer of the popular curl command-line utility and library announced that the project will end its HackerOne security bug bounty program …

BleepingComputer 2026-01-22 Lawrence Abrams

@Viss@mastodon.social @Viss@mastodon.social on mastodon
i was wondering when @bagder would have had enough. — looks like “this month” — https://www.bleepingcomputer.com/ ... friends dont let friends bug bounty. — ESPECIALLY now that ai is a thing.
@weldpond Chris Wysopal on x
cURL has ended its bug bounty program after being overwhelmed by a flood of low-quality, often AI-generated bug reports that strained its volunteer security team. Maintainer Daniel Stenberg hopes the move will cut noise and encourage real vulnerability reports — even without
@pfrazee.com Paul Frazee on bluesky
RE cURL ending its bug bounty due to slop submissions... yeah. Both security and recruiting inboxes are being overrun with this kind of thing
@k8em0 Katie Moussouris on bluesky
AI was the accelerant on a perverse incentive fire sparked by bug bounty platforms that reward spray & pray. Both open source & orgs without dedicated vuln response teams get overloaded when they offer cash there. cURL is right to leave AI shark-infested waters to start fresh. …
@bagder@mastodon.social @bagder@mastodon.social on mastodon
We seem to have data that confirms that the #curl bug-bounty has received a steep increased submission rate through 2025, while several other Open Source programs also hosted on Hackerone have not. (There's a graph coming in my pending blog post.) — What could possibly be the …
r/opensource r on reddit
Drowning in AI slop, cURL ends bug bounties

Chronicles