Curl Removes Bug Bounties Due to AI Slop

The Curl project, a cornerstone of internet infrastructure used by billions of devices, has made a significant decision regarding its security practices. The project has officially discontinued its bug bounty program.

This move comes as a direct response to a massive influx of low-quality vulnerability reports generated by artificial intelligence tools. The maintainers found that the program had become unsustainable, with automated submissions overwhelming their capacity to review and validate legitimate security concerns.

The core issue driving this decision is the phenomenon often referred to as AI slop—automated, poorly written, and often inaccurate security reports generated by AI systems. These reports flood the project's vulnerability disclosure channels, making it difficult to distinguish genuine threats from noise.

Maintainers have described the situation as a deluge of spam. Instead of aiding security, these AI-generated reports consume an inordinate amount of time, requiring manual review that detracts from actual development and security hardening work. The quality of these submissions is typically so low that they offer little to no actionable information.

• Automated generation of vulnerability reports
• Extremely low-quality and inaccurate submissions
• Overwhelming volume that clogs disclosure channels
• Significant time drain on volunteer maintainers

For an open-source project like Curl, which relies heavily on volunteer effort, managing a bug bounty program requires significant administrative overhead. The influx of AI-generated reports has tipped the scales, making the program more of a liability than an asset.

The maintainers' time is a critical resource. Every hour spent sifting through automated spam is an hour not spent on fixing bugs, improving performance, or adding new features. The decision to remove the program was a practical one, aimed at preserving the project's limited resources for its core mission.

The program was removed because of the overwhelming volume of low-quality, AI-generated reports that were consuming too much time to review.

This situation with Curl is not an isolated incident. It reflects a growing challenge across the cybersecurity and open-source communities. As AI tools become more accessible, they are increasingly being used—often irresponsibly—to automate tasks that require human judgment and expertise.

The misuse of AI for generating security reports undermines the very purpose of bug bounty programs: to foster a collaborative environment where researchers can responsibly disclose vulnerabilities. When these channels are flooded with automated noise, it erodes trust and makes it harder for legitimate researchers to get their findings noticed.

The security community now faces a new kind of threat vector—not just in code, but in the processes designed to protect it. Projects may need to develop new verification methods or adjust their reporting guidelines to filter out AI-generated spam effectively.

The removal of Curl's bug bounty program marks a pivotal moment for how open-source projects manage security disclosures. It may prompt other projects to re-evaluate their own programs and implement stricter submission guidelines or verification steps.

For researchers and security enthusiasts, this change underscores the importance of human insight and quality over automated quantity. The future of bug bounty programs may involve more nuanced systems to ensure that rewards go to those who provide genuine, well-documented, and actionable security insights.

Ultimately, the Curl team's decision is a call for a more responsible and thoughtful approach to using AI in cybersecurity. It highlights the need for balance between automation and human oversight to maintain the integrity of security research.