newsence
來源篩選

cURL Discontinues Bug Bounty Program Due to Overrun of AI-Generated Submissions

Hacker News

The cURL project has decided to terminate its bug bounty program, citing an overwhelming influx of AI-generated "slop" reports on HackerOne. The program officially ends on January 31, 2026, with future security issues to be reported via GitHub or mailing lists without monetary reward.

newsence

cURL 因 AI 生成的垃圾報告氾濫而終止漏洞賞金計畫

Hacker News
大約 1 個月前

AI 生成摘要

cURL 計畫因 HackerOne 上充斥著大量由 AI 生成的「垃圾」報告,決定終止其漏洞賞金計畫。該計畫將於 2026 年 1 月 31 日正式結束,未來安全問題將透過 GitHub 或郵件列表報告,不再提供金錢獎勵。

cURL Gets Rid of Its Bug Bounty Program Over AI Slop Overrun

Image

cURL Gets Rid of Its Bug Bounty Program Over AI Slop Overrun

Image Image

Last year in May, the cURL project's bug bounty program was inundated with AI slop, where many bogus reports were opened on HackerOne, leaving the cURL maintainers to go through garbage.

The problem didn't stop even after Daniel Stenberg, the creator of cURL, threatened to ban anyone whose bug report was found to be AI slop. We are now in 2026, and the situation has reached a tipping point.

cURL Says Enough is Enough

Image

Daniel has submitted a pull request on GitHub that removes all mentions of the bug bounty program from cURL's documentation and website. Coinciding with that, the project's security.txt file has been updated with some blunt language that makes the new policy crystal clear.

The cURL team intends to make a proper announcement in the coming days, though many outlets have already covered the news of this happening, so I would say they ought to get on it ASAP! 😆

The program officially ends in a few days on January 31, 2026. After that, security researchers can still report issues through GitHub or the project's mailing list, but there won't be any cash involved.

What pushed them over the edge?, you ask. Well, just weeks into 2026, seven HackerOne reports came in within a 16-hour period in just one week. Some were actual bugs, but none of them were security vulnerabilities. By the time Daniel posted his recent weekly report, they'd already dealt with 20 submissions in 2026.

The main goal here is said to be stopping the flood of garbage reports. By eliminating the money incentive, they are hoping people (or bots?) will stop wasting the security team's time with half-baked, unresearched submissions.

He also gives a stern warning to wannabe AI sloppers, saying that:

So, yeah, that's that. If people still don't understand that AI slop is harmful to such sensitive pieces of software, then sure, they can go ahead and make a fool of themselves.

Suggested Read 📖: Open Source Project LLVM Says Yes to AI-Generated Code

Image Image Image

Sourav Rudra

A nerd with a passion for open source software, custom PC builds, motorsports, and exploring the endless possibilities of this world.

Image

I (Briefly) Tried Proton Lumo's New AI Workspaces

Image

Ubuntu's Snap Store is Under Siege from Scammers, and The Gates are Open

Image

Linux Mint 22.3 "Zena" is Officially Available Now! Introduces Two New Apps

Image

BTW, Arch Users! Pacman Might Be Getting a Rust Replacement

Image

Even Linux Creator Linus Torvalds is Using AI to Code in 2026

Image

Good News for Mobile App Developers: Skip Is Now Open Source

Image

Not An April Fool's Joke, You Can Run Linux and Windows on This Android Smartphone

Image

This Could be the Best Graphics Editor for Linux Users (Yes, it is Open Source)

We respect your choice to use an ad blocker! It's FOSS is an independent publication that relies on your support.

Consider supporting us to keep quality Linux content free for everyone.

Good News for Mobile App Developers: Skip Is Now Open Source

I (Briefly) Tried Proton Lumo's New AI Workspaces

Not An April Fool's Joke, You Can Run Linux and Windows on This Android Smartphone

FreeBSD is a No-Go for KDE's Plasma Login Manager

Espressif Launches "Radio Co-Processor" ESP32-E22

Become a Better Linux User

With the FOSS Weekly Newsletter, you learn useful Linux tips, discover applications, explore new distros and stay updated with the latest from Linux world

Image Image

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to It's FOSS.

Your link has expired.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.