Curl ending bug bounty program after flood of AI slop reports

The developer of the popular curl command-line utility and library announced that the project will end its HackerOne security bug bounty program at the end of this month, after being overwhelmed by low-quality AI-generated vulnerability reports.

The change was first discovered in a pending commit to curl’s BUG-BOUNTY.md documentation, which removes all references to the HackerOne program.

Once merged, the file will be updated to state that the curl project no longer offers any rewards for reported bugs or vulnerabilities and will not help researchers obtain compensation from third parties either.

“Up until the end of January 2026 there was a curl bug bounty. It is no more. The curl project no longer offers any rewards for reported bugs or vulnerabilities. We also do not aid security researchers to get such rewards for curl problems from other sources either,” reads the upcoming update.

curl is a command-line utility that allows you to transfer data over various protocols, most commonly used to connect to websites. An associated libcurl library enables developers to incorporate curl into their applications for easy file transfer support.

Since 2019, its bug bounty program has been run through HackerOne and the Internet Bug Bounty, offering cash rewards for responsibly disclosed security vulnerabilities in curl and libcurl.

Daniel Stenberg, curl’s founder and lead developer, says the program has seen a large increase in low-effort and invalid reports, many of which appear to be AI-generated slop.

AI slop is the growing flood of low-effort, AI-generated content that sounds good but doesn’t actually contain anything useful or productive.

In a recent post to his personal mailing list, Stenberg explains that these low-quality reports are straining the curl security team, leading him to withdraw from the program.

“We started out the week receiving seven Hackerone issues within a sixteen hour period. Some of them were true and proper bugs, and taking care of this lot took a good while. Eventually we concluded that none of them identified a vulnerability and we now count twenty submissions done already in 2026,” explained Stenberg.

“The main goal with shutting down the bounty is to remove the incentive for people to submit crap and non-well researched reports to us. AI generated or not. The current torrent of submissions put a high load on the curl security team and this is an attempt to reduce the noise,” continued his post.

In comments on the pull request, Stenberg said that withdrawing from HackerOne may not stop the flood of junk reports. However, he said that curl is a small open-source project with a limited number of active maintainers, and that, to ensure its survival and protect developers’ mental health, he needed to take this action.

Stenberg has also shared examples of what he considers AI slop reports and said he has seen a steep rise in security submissions at curl compared to other open-source projects. 

“We seem to have data that confirms that the #curl bug-bounty has received a steep increased submission rate through 2025, while several other Open Source programs also hosted on Hackerone have not,” Stenberg posted to Mastodon.

The switch from HackerOne’s bug bounty program to an internal submission process will happen in stages.

Stenberg says the curl project will accept HackerOne submissions until January 31, 2026, and that any reports in progress at that time will continue to be processed.

Starting February 1, 2026, the project will no longer accept new HackerOne submissions and will instead ask researchers to report security issues directly through GitHub.

Curl’s new stance is also reflected in a recent update to its security.txt file, which states that the project offers no monetary compensation for reported vulnerabilities and warns that people who submit “crap” reports will be banned and ridiculed publicly.

Stenberg says he will publish a blog post next week with more details about this upcoming change.