The developer of the favored curl command-line utility and library introduced that the mission will finish its HackerOne safety bug bounty program on the finish of this month, after being overwhelmed by low-quality AI-generated vulnerability reviews.
The change was first found in a pending commit to curve’s BUG-BOUNTY.md documentation, which removes all references to the HackerOne program.
As soon as merged, the file will likely be up to date to state that the curl mission now not provides any rewards for reported bugs or vulnerabilities and won’t assist researchers acquire compensation from third events both.
“Up till the tip of January 2026 there was a curl bug bounty. It’s no extra. The curl mission now not provides any rewards for reported bugs or vulnerabilities. We additionally don’t support safety researchers to get such rewards for curl issues from different sources both,” reads the upcoming replace.
curl is a command-line utility that lets you switch knowledge over numerous protocols, mostly used to hook up with web sites. An related libcurl library permits builders to include curl into their purposes for straightforward file switch help.
Since 2019, its bug bounty program has been run by way of HackerOne and the Web Bug Bounty, providing money rewards for responsibly disclosed safety vulnerabilities in curl and libcurl.
Daniel Stenberg, curl’s founder and lead developer, says this system has seen a big improve in low-effort and invalid reviews, lots of which seem like AI-generated slop.
AI slop is the rising flood of low-effort, AI-generated content material that sounds good however would not truly include something helpful or productive.
In a current put up to his private mailing record, Stenberg explains that these low-quality reviews are straining the curl safety group, main him to withdraw from this system.
“We began out the week receiving seven Hackerone points inside a sixteen hour interval. A few of them have been true and correct bugs, and taking good care of this lot took an excellent whereas. Finally we concluded that none of them recognized a vulnerability and we now depend twenty submissions executed already in 2026,” defined Stenberg.
“The primary objective with shutting down the bounty is to take away the inducement for individuals to submit crap and non-well researched reviews to us. AI generated or not. The present torrent of submissions put a excessive load on the curl safety group and that is an try to scale back the noise,” continued his put up.
In feedback on the pull request, Stenberg stated that withdrawing from HackerOne could not cease the flood of junk reviews. Nonetheless, he stated that curl is a small open-source mission with a restricted variety of energetic maintainers, and that, to make sure its survival and shield builders’ psychological well being, he wanted to take this motion.
Stenberg has additionally shared examples of what he considers AI slop reviews and stated he has seen a steep rise in safety submissions at curl in comparison with different open-source initiatives.
“We appear to have knowledge that confirms that the #curl bug-bounty has acquired a steep elevated submission fee by way of 2025, whereas a number of different Open Supply applications additionally hosted on Hackerone haven’t,” Stenberg posted to Mastodon.
The change from HackerOne’s bug bounty program to an inside submission course of will occur in levels.
Stenberg says the curl mission will settle for HackerOne submissions till January 31, 2026, and that any reviews in progress at the moment will proceed to be processed.
Beginning February 1, 2026, the mission will now not settle for new HackerOne submissions and can as a substitute ask researchers to report safety points straight by way of GitHub.
Curl’s new stance can be mirrored in a current replace to its safety.txt file, which states that the mission provides no financial compensation for reported vulnerabilities and warns that individuals who submit “crap” reviews will likely be banned and ridiculed publicly.
Stenberg says he’ll publish a weblog put up subsequent week with extra particulars about this upcoming change.
Whether or not you are cleansing up previous keys or setting guardrails for AI-generated code, this information helps your group construct securely from the beginning.
Get the cheat sheet and take the guesswork out of secrets and techniques administration.
