Curl will stop bug bounties program due to avalanche of AI slop

News
By published

A small team was being bombarded with submissions

Malware attack virus alert , malicious software infection , cyber security awareness training to protect business
(Image credit: Shutterstock)
  • Curl ends HackerOne bug bounty due to fake and AI-generated vulnerability reports
  • Developers say incentives led to abuse, overwhelming the security team with invalid submissions
  • From February 2026, bug reports move to GitHub with no financial rewards

The developers of curl, the open source command-line tool and software library, are killing their HackerOne bug bounty program because they are being flooded with fake problems and vulnerabilities.

In a new advisory published on GitHub, it was said that the program is being sunsetted at the end of January, 2026.

“Up until the end of January 2026 there was a curl bug bounty. It is no more,” the document reads. “The curl project no longer offers any rewards for reported bugs or vulnerabilities. We also do not aid security researchers to get such rewards for curl problems from other sources either.”

Straining the security team

The document then describes the state of the bug bounty program which, apparently, did not serve its purpose:

“We have concluded the hard way that a bug bounty gives people too strong incentives to find and make up "problems" in bad faith that cause overload and abuse. We still appreciate and value valid vulnerability reports.”

Citing curl’s founder and lead developer, Daniel Stenberg, BleepingComputer reported that the problem is that “researchers” are using Generative Artificial Intelligence (GenAI) to create “AI slop” reports.

The same source says Stenberg recently mailed his followers, explaining how these poor reports are hurting the security team:

"We started out the week receiving seven HackerOne issues within a sixteen-hour period. Some of them were true and proper bugs and taking care of this lot took a good while. Eventually we concluded that none of them identified a vulnerability and we now count twenty submissions done already in 2026," Stenberg said.

"The main goal with shutting down the bounty is to remove the incentive for people to submit crap and non-well researched reports to us. AI generated or not. The current torrent of submissions put a high load on the curl security team and this is an attempt to reduce the noise.”

As of February 2026, all bug reports will go directly through GitHub and will not be paid for.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.