Curl closes bug bounty program due to overwhelming flood of AI slop reports

The End of curl’s Bug Bounty Program

curl, the popular command-line utility and library, has decided to terminate its HackerOne security bug bounty program due to an influx of low-quality AI-generated vulnerability reports. The decision was revealed in a pending commit to curl’s BUG-BOUNTY.md documentation, which removes all references to the program.

The upcoming update states, “Up until the end of January 2026 there was a curl bug bounty. It is no more. The curl project no longer offers any rewards for reported bugs or vulnerabilities.”

curl, used for transferring data over various protocols, has been offering cash rewards for security vulnerabilities through HackerOne and the Internet Bug Bounty since 2019. However, Daniel Stenberg, curl’s founder, and lead developer, has cited a significant increase in low-effort and invalid reports, many of which are suspected to be AI-generated.

Stenberg expressed concerns about the growing trend of AI slop, which refers to low-quality, AI-generated content that lacks substance. He mentioned that the influx of these reports has strained the curl security team, leading to the decision to withdraw from the bug bounty program.

Despite the potential for continued junk reports, Stenberg emphasized the need to prioritize the project’s sustainability and the mental well-being of its developers. The transition from HackerOne to an internal submission process will be gradual, with the project ceasing to accept new HackerOne submissions starting February 1, 2026.

Stenberg also highlighted the project’s updated security.txt file, which now states that no monetary compensation will be provided for reported vulnerabilities. It also warns that submitters of low-quality reports will face public ridicule and potential bans.

For those interested in learning more about this change, Stenberg plans to publish a blog post providing additional details in the coming week.

Transition to Internal Submission Process

The switch from HackerOne’s bug bounty program to an internal submission process will happen in stages. The project will continue to accept HackerOne submissions until January 31, 2026. Any ongoing reports at that time will be processed accordingly. Starting February 1, 2026, new submissions will no longer be accepted through HackerOne, and researchers will be directed to report security issues directly through GitHub.

Impact of AI Slop on curl

Stenberg has expressed concerns about the rise in AI-generated low-quality reports affecting the curl project. The decision to end the bug bounty program is aimed at reducing the strain on the security team caused by the influx of such reports.

He shared examples of what he considers AI slop reports and noted a significant increase in security submissions compared to other open-source projects. Stenberg emphasized the need to address the issue to maintain the project’s integrity and sustainability.

For developers and security researchers, this shift signifies a change in how security vulnerabilities in curl are reported and managed. The project’s updated security policy reflects a more stringent approach to handling vulnerability reports and emphasizes the importance of quality submissions.

Looking Ahead

As curl transitions to an internal submission process, it signals a new chapter in the project’s approach to security. By ending the bug bounty program, the project aims to streamline the reporting process and focus on addressing legitimate security concerns effectively.

Stenberg’s decision to prioritize the project’s long-term viability and the well-being of its contributors underscores the commitment to maintaining curl’s reputation as a reliable and secure tool for data transfer.

For those interested in staying informed about the latest developments regarding curl’s security measures, Stenberg’s upcoming blog post promises to provide further insights into the rationale behind the decision and the future direction of the project.