cURL Ends Bug Bounty Program After Drowning in AI-Generated Slop Reports

The cURL project has shut down its bug bounty program, citing an unmanageable flood of AI-generated vulnerability reports that waste maintainer time — a concrete signal that AI slop is now a real operational problem for open-source infrastructure.

As @ChrisShort reported, the cURL project — one of the most foundational pieces of internet infrastructure — has ended its bug bounty program because AI-generated vulnerability reports have overwhelmed the maintainers. The reports are plausible enough to require investigation but consistently lack substance, creating a worst-of-both-worlds scenario: they can't be auto-filtered, but they rarely identify real bugs.

Unlock the full briefing

Get every story in today's briefing, the full archive, and the daily AI intelligence brief.

All stories today

Full archive

Daily brief

Cancel anytime. Payments powered by Stripe.