Curl Creator Mulls Nixing Bug Bounty Awards To Stop AI Slop

Daniel Stenberg, creator of the curl utility, is considering ending its bug bounty program due to a surge in low-quality, AI-generated reports that are overwhelming the small volunteer team. Despite attempts to discourage AI-assisted submissions, these reports now make up about 20% of all entries in 2025, while genuine vulnerabilities have dropped to just 5%. The Register reports: 'The general trend so far in 2025 has been way more AI slop than ever before (about 20 percent of all submissions) as we have averaged about two security report submissions per week,' he wrote in a blog post on Monday. 'In early July, about 5 percent of the submissions in 2025 had turned out to be genuine vulnerabilities. The valid-rate has decreased significantly compared to previous years.'

The situation has prompted Stenberg to reevaluate whether to continue curl's bug bounty program, which he says has paid out more than $90,000 for 81 awards since its inception in 2019. He said he expects to spend the rest of the year mulling possible responses to the rising tide of AI refuse. Presently, the curl bug bounty program -- outsourced to HackerOne - requires the bug reporter to disclose the use of generative AI. It does not entirely ban AI-assisted submissions, but does discourage them. 'You should check and double-check all facts and claims any AI told you before you pass on such reports to us,' the program's policy explains. 'You are normally much better off avoiding AI.'

Two bug submissions per week on average may not seem like a lot, but the curl security team consists of only seven members. As Stenberg explains, three or four reviewers review each submission, a process that takes anywhere from 30 minutes to three hours. 'I personally spend an insane amount of time on curl already, wasting three hours still leaves time for other things,' Stenberg lamented. 'My fellows however are not full time on curl. They might only have three hours per week for curl. Not to mention the emotional toll it takes to deal with these mind-numbing stupidities.'

Stenberg says it's not clear what HackerOne should do to reduce reckless use of AI, but insists something needs to be done. His post ponders charging a fee to submit a report or dropping the bug bounty award, while also expressing reservations about both potential remedies. 'As a lot of these reporters seem to genuinely think they help out, apparently blatantly tricked by the marketing of the AI hype-machines, it is not certain that removing the money from the table is going to completely stop the flood,' he concludes.

Read more of this story at Slashdot.