Discussion

• @weldpond Chris Wysopal on x

  cURL has ended its bug bounty program after being overwhelmed by a flood of low-quality, often AI-generated bug reports that strained its volunteer security team. Maintainer Daniel Stenberg hopes the move will cut noise and encourage real vulnerability reports — even without

• @pfrazee.com Paul Frazee on bluesky

  RE cURL ending its bug bounty due to slop submissions... yeah.  Both security and recruiting inboxes are being overrun with this kind of thing

• @k8em0 Katie Moussouris on bluesky

  AI was the accelerant on a perverse incentive fire sparked by bug bounty platforms that reward spray & pray.  Both open source & orgs without dedicated vuln response teams get overloaded when they offer cash there. cURL is right to leave AI shark-infested waters to start fresh.  …

• @Viss@mastodon.social @Viss@mastodon.social on mastodon

  i was wondering when @bagder would have had enough.  —  looks like “this month”  —  https://www.bleepingcomputer.com/ ...  friends dont let friends bug bounty.  —  ESPECIALLY now that ai is a thing.

• @bagder@mastodon.social @bagder@mastodon.social on mastodon

  We seem to have data that confirms that the #curl bug-bounty has received a steep increased submission rate through 2025, while several other Open Source programs also hosted on Hackerone have not.  (There's a graph coming in my pending blog post.)  —  What could possibly be the …

• r/cybersecurity r on reddit

  Curl ending bug bounty program after flood of AI slop reports

• r/opensource r on reddit

  Drowning in AI slop, cURL ends bug bounties

• @jtlg James Grimmelmann on bluesky

  Bad content drives out good.  —  arstechnica.com/security/202...

• r/technews r on reddit

  Overrun with AI slop, cURL scraps bug bounties to ensure “intact mental health”