"We are just a small single open source project with a small number of active maintainers,"
"It is not in our power to change how all these people and their slop machines work. We need to make moves to ensure our survival and intact mental health."
"We will ban you and ridicule you in public if you waste our time on crap reports."
cURL will terminate its vulnerability reward program at the end of the month after a surge of low-quality and largely AI-generated bug reports overwhelmed a small maintainer team. The project reported that the volume and poor quality of submissions consumed resources and threatened maintainer wellbeing, prompting the decision. Some users expressed concern that ending the bounty program will reduce incentives for private, high-quality vulnerability disclosures and weaken security practices. cURL remains a widely used tool integrated into Windows, macOS, and most Linux distributions, and security continues to be a critical priority. Historically, cash bounties were offered for high-severity vulnerability reports.
Read at Ars Technica
Unable to calculate read time
Collection
[
|
...
]