cURL Gets Rid of Its Bug Bounty Program Over AI Slop Overrun

cURL Gets Rid of Its Bug Bounty Program Over AI Slop Overrun

Last year in May, the cURL project's bug bounty program was inundated with AI slop, where many bogus reports were opened on HackerOne, leaving the cURL maintainers to go through garbage.

The problem didn't stop even after Daniel Stenberg, the creator of cURL, threatened to ban anyone whose bug report was found to be AI slop. We are now in 2026, and the situation has reached a tipping point.

cURL Says Enough is Enough

Daniel has submitted a pull request on GitHub that removes all mentions of the bug bounty program from cURL's documentation and website. Coinciding with that, the project's security.txt file has been updated with some blunt language that makes the new policy crystal clear.

The cURL team intends to make a proper announcement in the coming days, though many outlets have already covered the news of this happening, so I would say they ought to get on it ASAP! 😆

The program officially ends in a few days on January 31, 2026. After that, security researchers can still report issues through GitHub or the project's mailing list, but there won't be any cash involved.

What pushed them over the edge?, you ask. Well, just weeks into 2026, seven HackerOne reports came in within a 16-hour period in just one week. Some were actual bugs, but none of them were security vulnerabilities. By the time Daniel posted his recent weekly report, they'd already dealt with 20 submissions in 2026.

The main goal here is said to be stopping the flood of garbage reports. By eliminating the money incentive, they are hoping people (or bots?) will stop wasting the security team's time with half-baked, unresearched submissions.

He also gives a stern warning to wannabe AI sloppers, saying that:

So, yeah, that's that. If people still don't understand that AI slop is harmful to such sensitive pieces of software, then sure, they can go ahead and make a fool of themselves.

Suggested Read 📖: Open Source Project LLVM Says Yes to AI-Generated Code

Sourav Rudra

A nerd with a passion for open source software, custom PC builds, motorsports, and exploring the endless possibilities of this world.

I (Briefly) Tried Proton Lumo's New AI Workspaces

Ubuntu's Snap Store is Under Siege from Scammers, and The Gates are Open

Linux Mint 22.3 "Zena" is Officially Available Now! Introduces Two New Apps

BTW, Arch Users! Pacman Might Be Getting a Rust Replacement

Even Linux Creator Linus Torvalds is Using AI to Code in 2026

Good News for Mobile App Developers: Skip Is Now Open Source

Not An April Fool's Joke, You Can Run Linux and Windows on This Android Smartphone

This Could be the Best Graphics Editor for Linux Users (Yes, it is Open Source)

We respect your choice to use an ad blocker! It's FOSS is an independent publication that relies on your support.

Consider supporting us to keep quality Linux content free for everyone.

Good News for Mobile App Developers: Skip Is Now Open Source

I (Briefly) Tried Proton Lumo's New AI Workspaces

Not An April Fool's Joke, You Can Run Linux and Windows on This Android Smartphone

FreeBSD is a No-Go for KDE's Plasma Login Manager

Espressif Launches "Radio Co-Processor" ESP32-E22

Become a Better Linux User

With the FOSS Weekly Newsletter, you learn useful Linux tips, discover applications, explore new distros and stay updated with the latest from Linux world

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to It's FOSS.

Your link has expired.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.