"The maintainer of popular open-source data transfer tool cURL has ended the project's bug bounty program after maintainers struggled to assess a flood of AI-generated contributions. Curler-in-chief Daniel Stenberg last week lodged a GitHub commit named "BUG-BOUNTY.md: we stop the bug-bounty end of Jan 2026". Readers may recall that Stenberg started complaining about AI-generated bug reports in early 2024, and by mid-2025 contemplated killing the project's bug bounty program."
"Figuring that out took "a good while." He then expressed his hope that ending the bug bounty program will "remove the incentive for people to submit crap and non-well researched reports to us. AI generated or not." "The current torrent of submissions put a high load on the curl security team and this is an attempt to reduce the noise.""
Daniel Stenberg ended the cURL project's bug bounty program effective end of January 2026. Stenberg cited a flood of AI-generated and poorly researched submissions that made assessment difficult for maintainers. The recent bounty round produced seven submissions; some identified bugs but none reported vulnerabilities, and validation required significant time. The program's volume imposed a high load on the curl security team and increased noise. Ending the bounty aims to remove the incentive for low-quality reports while still encouraging reports of actual security vulnerabilities without payment. Stenberg acknowledged that some contributors were ordinary misled humans and noted that AI can be a useful bug-hunting aid.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]