curl — Ending its bug bounty after an AI slop flood
• Category: Security
- curl’s maintainer team says their HackerOne-based bounty has been drowning in “crap” submissions, many apparently AI-generated.
- The stated intent is not “bug bounties are bad” — it’s “maintainer time is finite,” and the current incentive structure optimizes for volume.
- Even when reports are not exploitable, every claim still needs triage: reproduce, understand impact, and respond — a tax that scales with noise.
- The project plans to accept HackerOne submissions until the end of January 2026, then move vulnerability intake to direct channels (GitHub / email).
- curl’s updated security posture messaging explicitly says there’s no monetary reward, and that time-wasting reports will be publicly called out.
- This is a real-world datapoint that “AI-assisted security research” without accountability can degrade the security ecosystem for everyone.
- Expect follow-on effects: other FOSS projects may reduce bounties, tighten intake requirements, or outsource triage to preserve maintainer health.
Why it matters
Vulnerability discovery is only useful if the receiver can validate and remediate. If AI tooling increases report volume faster than it increases verification quality, it can push small teams to shut down programs that previously surfaced real bugs. In practice: fewer eyes, less structured disclosure, and slower fixes — not because “security is less important,” but because triage capacity got consumed by noise.
What to do
- If you run a bounty: add stricter reproducibility requirements (exact version, commands, expected/actual behavior) and rate-limit repeat low-signal reporters.
- If you use AI in security review: treat it like an idea generator, not evidence. Don’t file until you can reproduce and explain the impact in your own words.
- If you maintain OSS: consider a dedicated intake form + “proof checklist” to keep triage bounded, and publish a clear policy for low-effort submissions.