- Curl Ends HackerOne Bug Bounty Due to Fake AI-Generated Vulnerability Reports
- Developers say incentives led to abuse, overwhelming security team with invalid submissions
- Starting February 2026, bug reports will be pushed to GitHub without financial reward
The developers of curl, the open source command line tool and software library, are killing their HackerOne bug bounty program because they are inundated with fake issues and vulnerabilities.
In a new notice posted on GitHub, it was stated that the program will end at the end of January 2026.
“Until the end of January 2026, there was a curl bug bounty. This is no longer the case,” the document reads. “The curl project no longer offers rewards for reported bugs or vulnerabilities. We also do not help security researchers obtain such rewards for curl issues from other sources.”
Putting the security team to the test
The document then describes the status of the bug bounty program which apparently did not serve its purpose:
“We concluded the hard way that a bug bounty incentivizes people too strongly to find and fix bad faith ‘issues’ that cause overload and abuse. We always value and value valid vulnerability reports.”
Quoting curl founder and lead developer Daniel Stenberg, BeepComputer reported that the problem is that “researchers” are using generative artificial intelligence (GenAI) to create reports on “AI slops.”
The same source claims that Stenberg recently sent an email to his subscribers, explaining how these bad reports are hurting the security team:
“We started the week receiving seven issues from HackerOne in sixteen hours. Some of them were real, proper bugs and took some time to take care of. Ultimately, we concluded that none of them identified a vulnerability and we now have twenty submissions already made in 2026,” Stenberg said.
“The main goal of removing the prime is to remove any incentive for people to submit crappy, poorly researched reports to us. AI-generated or not. The current torrent of submissions places a high burden on the curl security team and this is an attempt to reduce the noise.”
Starting February 2026, all bug reports will go directly through GitHub and will not be paid for.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
