Curl ending bug bounty program after flood of AI slop reports

News

Featured
Latest

Zendesk ticket systems hijacked in massive global spam wave

Hackers breach Fortinet FortiGate devices, steal firewall configs

Fake Lastpass emails pose as password vault backup alerts

Hackers exploit 29 zero-days on second day of Pwn2Own Automotive

Okta SSO accounts targeted in vishing-based data theft attacks

This $35 Swifdoo PDF editor license lasts for life

Curl ending bug bounty program after flood of AI slop reports

SmarterMail auth bypass flaw now exploited to hijack admin accounts

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityCurl ending bug bounty program after flood of AI slop reports

Curl ending bug bounty program after flood of AI slop reports

By Lawrence Abrams

January 22, 2026
02:01 PM
1

The developer of the popular curl command-line utility and library announced that the project will end its HackerOne security bug bounty program at the end of this month, after being overwhelmed by low-quality AI-generated vulnerability reports.
The change was first discovered in a pending commit to curl's BUG-BOUNTY.md documentation, which removes all references to the HackerOne program.
Once merged, the file will be updated to state that the curl project no longer offers any rewards for reported bugs or vulnerabilities and will not help researchers obtain compensation from third parties either.

"Up until the end of January 2026 there was a curl bug bounty. It is no more. The curl project no longer offers any rewards for reported bugs or vulnerabilities. We also do not aid security researchers to get such rewards for curl problems from other sources either," reads the upcoming update.
curl is a command-line utility that allows you to transfer data over various protocols, most commonly used to connect to websites. An associated libcurl library enables developers to incorporate curl into their applications for easy file transfer support.
Since 2019, its bug bounty program has been run through HackerOne and the Internet Bug Bounty, offering cash rewards for responsibly disclosed security vulnerabilities in curl and libcurl.
Daniel Stenberg, curl's founder and lead developer, says the program has seen a large increase in low-effort and invalid reports, many of which appear to be AI-generated slop.
AI slop is the growing flood of low-effort, AI-generated content that sounds good but doesn't actually contain anything useful or productive.
In a recent post to his personal mailing list, Stenberg explains that these low-quality reports are straining the curl security team, leading him to withdraw from the program.
"We started out the week receiving seven Hackerone issues within a sixteen hour period. Some of them were true and proper bugs, and taking care of this lot took a good while. Eventually we concluded that none of them identified a vulnerability and we now count twenty submissions done already in 2026," explained Stenberg.
"The main goal with shutting down the bounty is to remove the incentive for people to submit crap and non-well researched reports to us. AI generated or not. The current torrent of submissions put a high load on the curl security team and this is an attempt to reduce the noise," continued his post.
In comments on the pull request, Stenberg said that withdrawing from HackerOne may not stop the flood of junk reports. However, he said that curl is a small open-source project with a limited number of active maintainers, and that, to ensure its survival and protect developers' mental health, he needed to take this action.
Stenberg has also shared examples of what he considers AI slop reports and said he has seen a steep rise in security submissions at curl compared to other open-source projects. 
"We seem to have data that confirms that the #curl bug-bounty has received a steep increased submission rate through 2025, while several other Open Source programs also hosted on Hackerone have not," Stenberg posted to Mastodon.
The switch from HackerOne's bug bounty program to an internal submission process will happen in stages.
Stenberg says the curl project will accept HackerOne submissions until January 31, 2026, and that any reports in progress at that time will continue to be processed.
Starting February 1, 2026, the project will no longer accept new HackerOne submissions and will instead ask researchers to report security issues directly through GitHub.
Curl's new stance is also reflected in a recent update to its security.txt file, which states that the project offers no monetary compensation for reported vulnerabilities and warns that people who submit "crap" reports will be banned and ridiculed publicly.
Stenberg says he will publish a blog post next week with more details about this upcoming change.

The 2026 CISO Budget Benchmark
It's budget season! Over 300 CISOs and security leaders have shared how they're planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026.
Learn how top leaders are turning investment into measurable impact.
Download Now

Related Articles:
Chainlit AI framework bugs let hackers breach cloud environmentsSmarterMail auth bypass flaw now exploited to hijack admin accountsMicrosoft updates Notepad and Paint with more AI featuresCisco fixes Unified Communications RCE zero day exploited in attacksGitLab warns of high-severity 2FA bypass, denial-of-service flaws

AI Slop
Artificial Intelligence
Bug Bounty
cURL
Security Report
Vulnerability

Lawrence Abrams
Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies.

Previous Article
Next Article

Comments

wonkybonky - 1 hour ago

AI is a blight on the entire world.

Post a Comment Community Rules

You need to login in order to post a comment
Not a member yet? Register Now

You may also like:

Popular Stories

Fortinet admins report patched FortiGate firewalls getting hacked

Ingram Micro says ransomware attack affected 42,000 people

Tesla hacked, 37 zero-days demoed at Pwn2Own Automotive 2026

Sponsor Posts

Discover how phishing kits are sold and deployed. Download the full research report.

Identity Governance & Threat Detection in one: Get a guided tour of our platform

Overdue a password health-check? Audit your Active Directory for free

  Upcoming Webinar

Follow us:

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure

Copyright @ 2003 - 2026 Bleeping Computer® LLC - All Rights Reserved

Login

Username

Password

Remember Me

Sign in anonymously

Sign in with Twitter

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

The curl command-line utility and associated libcurl library project is ending its bug bounty program through HackerOne due to a significant influx of low-quality, largely AI-generated vulnerability reports. This decision, announced by curl’s founder and lead developer Daniel Stenberg, reflects a strategic shift aimed at protecting the project’s limited maintainer team and ensuring the continued viability of the open-source initiative.

The core issue stems from a dramatic increase in submissions through HackerOne, a substantial portion of which have been identified as “AI slop”—low-effort, often nonsensical reports lacking genuine investigative depth. Stenberg noted that the project was receiving approximately seven HackerOne issues within a sixteen-hour period, with many failing to identify genuine vulnerabilities. By January 2026, the project had already processed over twenty submissions, primarily consisting of non-viable reports, highlighting the unsustainable strain on the curl security team.

This situation has prompted a formal withdrawal from HackerOne’s bug bounty program, effective at the end of January 2026. The project will no longer offer rewards for reported vulnerabilities, nor will it facilitate the collection of those rewards through third-party channels. This decision isn't intended as a rejection of responsible vulnerability reporters, but rather a necessary measure to combat the overwhelming volume of poor-quality submissions.

Stenberg’s strategy involves transitioning to a direct submission process via GitHub. This change is accompanied by a stark warning in the project’s security.txt file, explicitly stating that individuals submitting “crap” reports will be banned and publicly ridiculed. This aggressive stance underscores the seriousness of the situation and aims to deter future submissions of non-constructive reports.

The project's leadership, through a Mastodon post, emphasized its small size and the limited number of active maintainers. Stenberg’s team recognized that the current influx of submissions was unsustainable and posed a threat to the project’s long-term health. He has collected data indicating a significantly elevated submission rate for curl compared to other open-source projects hosted on HackerOne, reinforcing the need for this change.

The move is not without acknowledging the ongoing need to address vulnerabilities, the decision is driven by a pragmatic assessment of resource constraints. Stenberg's team is transitioning to a more controlled and targeted process, focusing on engaging with and supporting genuine researchers capable of producing valuable, well-researched reports. The change includes a phased approach: submissions via HackerOne will be accepted until January 31, 2026, after which time all ongoing reports will continue to be processed. Starting February 1, 2026, the project will exclusively accept security issues through GitHub submissions.

This action is supported by a data point that highlights a disproportionate submission rate for the curl project which is considerably higher than other open-source projects hosted on Hackerone. The decision reflects a common trend among open-source projects, particularly those maintained by small teams, battling the explosion of low-quality submissions fueled by increasingly sophisticated AI tools.