The developer of the favored curl command-line utility and library introduced that the mission will finish its HackerOne security bug bounty program on the finish of this month, after being overwhelmed by low-quality AI-generated vulnerability studies.
The change was first found in a pending commit to curve’s BUG-BOUNTY.md documentation, which removes all references to the HackerOne program.
As soon as merged, the file can be up to date to state that the curl mission not provides any rewards for reported bugs or vulnerabilities and won’t assist researchers acquire compensation from third events both.
“Up till the tip of January 2026 there was a curl bug bounty. It’s no extra. The curl mission not provides any rewards for reported bugs or vulnerabilities. We additionally don’t help security researchers to get such rewards for curl issues from different sources both,” reads the upcoming replace.
curl is a command-line utility that permits you to switch information over numerous protocols, mostly used to hook up with web sites. An related libcurl library permits builders to include curl into their functions for straightforward file switch assist.
Since 2019, its bug bounty program has been run via HackerOne and the Web Bug Bounty, providing money rewards for responsibly disclosed security vulnerabilities in curl and libcurl.
Daniel Stenberg, curl’s founder and lead developer, says this system has seen a big enhance in low-effort and invalid studies, a lot of which seem like AI-generated slop.
AI slop is the rising flood of low-effort, AI-generated content material that sounds good however does not truly include something helpful or productive.
In a current put up to his private mailing checklist, Stenberg explains that these low-quality studies are straining the curl security group, main him to withdraw from this system.
“We began out the week receiving seven Hackerone points inside a sixteen hour interval. A few of them had been true and correct bugs, and caring for this lot took an excellent whereas. Finally we concluded that none of them recognized a vulnerability and we now depend twenty submissions finished already in 2026,” defined Stenberg.
“The principle objective with shutting down the bounty is to take away the motivation for folks to submit crap and non-well researched studies to us. AI generated or not. The present torrent of submissions put a excessive load on the curl security group and that is an try to scale back the noise,” continued his put up.
In feedback on the pull request, Stenberg mentioned that withdrawing from HackerOne might not cease the flood of junk studies. Nonetheless, he mentioned that curl is a small open-source mission with a restricted variety of energetic maintainers, and that, to make sure its survival and shield builders’ psychological well being, he wanted to take this motion.
Stenberg has additionally shared examples of what he considers AI slop studies and mentioned he has seen a steep rise in security submissions at curl in comparison with different open-source tasks.
“We appear to have information that confirms that the #curl bug-bounty has obtained a steep elevated submission price via 2025, whereas a number of different Open Supply applications additionally hosted on Hackerone haven’t,” Stenberg posted to Mastodon.
The swap from HackerOne’s bug bounty program to an inner submission course of will occur in phases.
Stenberg says the curl mission will settle for HackerOne submissions till January 31, 2026, and that any studies in progress at the moment will proceed to be processed.
Beginning February 1, 2026, the mission will not settle for new HackerOne submissions and can as a substitute ask researchers to report security points immediately via GitHub.
Curl’s new stance can be mirrored in a current replace to its security.txt file, which states that the mission provides no financial compensation for reported vulnerabilities and warns that individuals who submit “crap” studies can be banned and ridiculed publicly.
Stenberg says he’ll publish a weblog put up subsequent week with extra particulars about this upcoming change.
Whether or not you are cleansing up outdated keys or setting guardrails for AI-generated code, this information helps your group construct securely from the beginning.
Get the cheat sheet and take the guesswork out of secrets and techniques administration.
