Well, it finally happened. Curl, the command-line tool/library for transferring data with URLs that runs on practically everything from Windows to FreeBSD, has shut down its bug bounty program.
This decision came last week when Daniel Stenberg, lead dev and creator of the project, made a pull request on GitHub to remove all mention of the program from the documentation. He set the end of January 2026 as the final date. Here"s what he said:
Up until the end of January 2026 there was a curl bug bounty. It is no more.
The curl project does not anymore offer any rewards for reported bugs or vulnerabilities. We also do not aid security researchers to get such rewards for curl problems from other sources either.
We have concluded the hard way that a bug bounty gives people too strong incentives to find and make up "problems" in bad faith that cause overload and abuse.
We still appreciate and value valid vulnerability reports.
Stenberg told etn.se that AI slop and bad reports have been increasing so much that the team had to "try to brake the flood in order not to drown". The developer already had a history of publicly complaining about what he calls "AI crap" flooding the bug bounty program on HackerOne.
The project"s maintainers, who have to read these AI-generated reports, struggle to make sense of them since most are nonsensical. Many AI tools lack the necessary code context to produce sound reports, which ends up distracting developers from legitimate issues that actually need fixing.
Eventually, the cURL instituted a policy that any reporter who submitted "AI Slop" would be banned from the program. That did not stop the horde of low-quality submissions. By mid-2025, Stenberg began to consider shutting down the program entirely to remove the financial motivation for submitting garbage.
The cURL bug bounty program has been around since 2019 and was managed through HackerOne. During its operation, the program paid out over $100,000 for valid security vulnerability reports.
Obviously, cURL is not the only project drowning in this sludge of AI-generated bug reports. Other projects that are currently facing this issue include the Python Software Foundation, React, and Apache Airflow.
You can check out Stenberg"s original PR here.