Curl's Bug Bounty Program Shut Down
The curl project has announced that it will end its HackerOne security bug bounty program due to a large number of low-quality AI-generated vulnerability reports. The program, which was launched in 2019, offered cash rewards for responsibly disclosed security vulnerabilities in curl and libcurl.
Reason Behind The Decision
According to Daniel Stenberg, curl's founder and lead developer, the program has seen a significant increase in low-effort and invalid reports, many of which appear to be AI-generated. This has put a high load on the curl security team, and the decision to shut down the program is an attempt to reduce the noise.
New Submission Process
Starting February 1, 2026, the project will no longer accept new HackerOne submissions and will instead ask researchers to report security issues directly through GitHub. The curl project will also update its security.txt file to state that it offers no monetary compensation for reported vulnerabilities and warns that people who submit low-quality reports will be banned and ridiculed publicly.
Impact On The Security Community
The shutdown of curl's bug bounty program may not be an isolated incident. Other software providers may need to establish policies to deal with AI-generated vulnerability reports, such as requiring submitters to declare the use of AI or banning it completely.