curl Removes Bug Bounties

Jan Tångring (Hacker News):

“AI slop and bad reports in general have been increasing even more lately, so we have to try to brake the flood in order not to drown”, says cURL maintainer Daniel Stenberg to Swedish electronics industry news site etn.se.

Therefore, cURL is terminating the bounty payouts as of the end of January.

[…]

Not all AI-generated bug reports are nonsense. It’s not possible to determine the exact share, but Daniel Stenberg knows of more than a hundred good AI assisted reports that led to corrections.

curl (Hacker News):

We will ban you and ridicule you in public if you waste our time on crap reports.

Previously:

• Evolution of Apple Security Bounty Program
• curl Takes Action Against AI Bug Reports
• The Lack of Compensation in Open Source Software Is Unsustainable

Update (2026-05-12): Daniel Stenberg:

Part of the deal with project Glasswing was that Anthropic also offered access to their latest AI model to “Open Source projects” via Linux Foundation. Linux Foundation let their project Alpha Omega handle this part, and I was contacted by their representatives. As lead developer of curl I was offered access to the magic model and I graciously accepted the offer. Sure, I’d like to see what it can find in curl.

[…]

The report concluded it found five “Confirmed security vulnerabilities”. I think using the term confirmed is a little amusing when the AI says it confidently by itself.

[…]

Once my curl security team fellows and I had poked on the this short list for a number of hours and dug into the details, we had trimmed the list down and were left with one confirmed vulnerability. The other four were three false positives (they highlighted shortcomings that are documented in API documentation) and the fourth we deemed “just a bug”.

Previously:

• Mythos and Glasswing

Artificial Intelligence curl Mythos Open-source Software Programming Security

2 Comments RSS · Twitter · Mastodon

---

---

Leave a Comment

Name

E-mail (will not be published)

Web site

Δ