Curl ending bug bounty program after flood of AI slop reports

Key Points:

• Curl has decided to end its HackerOne bug bounty program due to an overwhelming influx of low-quality, AI-generated vulnerability reports.
• The impact includes a shift in how security vulnerabilities will be reported for curl and libcurl, moving from a monetary incentive model to an internal submission process, which may strain the security team's resources further.
• Recommended actions include adapting to the new reporting process via GitHub starting February 1, 2026, and ensuring that submissions are well-researched to avoid potential bans for low-quality reports.

Technical Details: The curl project has been inundated with low-effort reports that do not identify actual vulnerabilities, leading to the decision to discontinue the bounty program. This change aims to alleviate the burden on the small security team managing these submissions.

MITRE ATT&CK Techniques: None mentioned

IOCs Mentioned: None mentioned