πŸ›‘οΈSatisfaction guaranteed β€” Setup refunded if not satisfied after 30 days

Deepthix
← Back to blog
securiteJanuary 27, 2026

cURL drops its bug bounty program: AI won... the spam battle

cURL's creator ends the bounty program after a flood of AI-generated reports. A warning sign for the open source ecosystem.

The last straw

Daniel Stenberg, creator of cURL β€” the command-line tool used by billions of devices β€” just announced the end of the project's bug bounty program. The reason? A flood of AI-generated reports, known as "AI slop", overwhelming the maintenance team.

In just 16 hours in early January 2026, 7 reports were submitted on HackerOne. Some were actual bugs, but none were security vulnerabilities. In total, 20 submissions in January β€” mostly useless noise.

When AI becomes the problem

This isn't new. As early as May 2025, cURL was already dealing with this issue. Daniel Stenberg had threatened to ban anyone submitting AI-generated reports. But warnings weren't enough.

The problem is simple: "bug hunters" use LLMs to mass-generate vulnerability reports. They hope to collect bounties without actually understanding the code. Result: maintainers spend more time sorting through garbage than fixing real bugs.

The new policy

The program officially ends on January 31, 2026. After that date:

  • Security issues can still be reported via GitHub or the mailing list
  • No more financial rewards
  • The team reserves the right to "publicly ridicule" AI slop submissions

Daniel Stenberg is blunt in his warning:

"You should NEVER report a bug or vulnerability unless you actually understand it β€” and can reproduce it. If you still do, I believe I'm in the right to make fun of you."

What this means for open source

This decision reveals a broader problem: AI makes it easy to pollute open source contribution processes. When anyone can generate a report in 30 seconds with ChatGPT, volunteer maintainers drown in triage work.

Other projects, like LLVM, chose a different approach: accepting AI-generated code, but with a "human in the loop" policy that holds contributors accountable. The question remains: should we systematically verify if a contribution is human-made?

The takeaway

The cURL case illustrates an AI-era paradox: tools meant to improve productivity can also amplify nuisance. Without financial incentive, AI spammers have no reason to target cURL. But for projects maintaining their bounties, the problem is just beginning.

For developers, the message is clear: quality beats quantity. One well-documented report is worth a thousand AI-generated submissions.

curlbug-bountyiaopen-sourcesecuritehackeronespam

Want to automate your operations?

Let's discuss your project in 15 minutes.

Book a call