cURL Ends Bug Bounty
AI-generated junk forces a top open-source project to shut down its rewards program
The open-source cURL project, an essential tool for data transfer on the internet, has officially pulled the plug on its bug bounty initiative. The reason? A relentless wave of poorly crafted, AI-generated bug reports flooded the program, making it difficult for maintainers to focus on legitimate security issues.
Project lead Daniel Stenberg cited the overwhelming volume of 'AI slop'—bug submissions likely written by AI tools without meaningful analysis or verification. Instead of surfacing genuine vulnerabilities, the bounty program became a magnet for spammy, low-effort reports from individuals seeking quick payouts, ultimately draining the project's resources and time.
The move highlights a growing challenge across open-source software: while bug bounties can incentivize security research, they can also backfire in the age of generative AI. Developers now face the tough task of filtering out noise from real threats, raising questions about the future of community-driven security in an era where automated tools can easily game the system.