When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Turso retires bug bounty program because most "CRITICAL" issues are just AI slop

Turso says reviewing endless AI-generated bug submissions became a bigger burden than the actual bugs the bounty program uncovered.

Neowin · with 4 comments

AI fixing errors at work
Image via Unsplash

After the explosive surge in the popularity of generative AI a few years ago, coding assistants and agents have become a rather mainstream application of the technology. Although there are arguably tangible benefits associated with this, it also has a few downsides. Recently, the RPSC3 team also banned autonomous AI agents from project contributions. Now, the rampant nature of "AI slop" submissions has forced another open-source project to shut its bug bounty doors.

Turso, a fairly popular in-process SQL database, compatible with SQLite and built in Rust, has had a bug bounty program where reporters are awarded $1,000 for any bug that can lead to memory corruption. Although this program served its purpose for the time that it was alive, it was recently shut down following a flood of AI slop submissions.

In a blog post, the Turso team explains that although it had faith in its testing mechanisms, it created the bug bounty program to cover scenarios where automated testing failed and users were incentivized to find issues that could be fixed. A handful of people received rewards before people with autonomous agents at their disposal realized that it was too easy to "just point an LLM at Turso" and have it find a bug.

This resulted in a massive increase in AI slop submissions with Turso highlighting contributions that described a "CRITICAL bug", but made absolutely no sense. When the developers tried to reason with the authors of the pull request (PR), they would receive nonsensical responses, further confirming that the person submitting the PR didn't really understand the code or the architecture.

Since development time was being wasted reviewing these PRs, Turso created a system which would automatically close PRs if bot submission was suspected. However, this led to the bots opening issues, requesting manual reviews.

This was the final nail in the coffin of the bug bounty program as it's simply not worthwhile to spend hours reviewing and engaging with a PR that was generated within a minute. Although Turso is not shutting down contributions at this time, it has decided to get rid of the bounty so people with AI agents have little incentive to find bugs.

powercolor reaper rx 9070
Next Article

This AMD RX 9070 XT, that's nearly as good as Nvidia 5070 Ti, is a great deal again

Phone Dialer opened on a darkened Windows 11 desktop with a small icon on top
Previous Article

This legacy app somehow still exists in Windows 11, despite zero use

4 Comments

Load the comments and join the conversation!

Read the comments, ask the editors questions, show respect and join the conversation.

Click here