Overrun with AI slop, cURL scraps bug bounties to ensure “intact mental health”

The lead developer of cURL, a widely utilized networking tool, has announced the discontinuation of its bug bounty program due to an overwhelming influx of subpar reports, many of which are generated by AI. Daniel Stenberg, the founder and primary developer of the open-source project, expressed his concerns about the situation. "We are just a small team managing a single open-source project, and we cannot control the influx of low-quality submissions from these automated systems," he stated. Stenberg emphasized the need for the team to safeguard their well-being and focus on maintaining the project's integrity. In response to the announcement, some cURL users voiced their frustration, arguing that the decision merely addresses the symptoms of the problem rather than its root causes. They fear that this move could jeopardize the vital security measures that the bug bounty program provided. Stenberg acknowledged these concerns but insisted that the team had little choice. In a separate communication, he did not mince words, stating, "We will ban you and ridicule you in public if you waste our time on meaningless reports." The official termination of the bug bounty program will be effective at the end of this month, as confirmed by an update on cURL’s GitHub account. Originally released thirty years ago under the names httpget and urlget, cURL has grown to be an essential tool for system administrators, researchers, and security experts, facilitating tasks such as file transfers and troubleshooting web software. Given its extensive integration in operating systems like Windows, macOS, and various Linux distributions, ensuring its security is critical. Traditionally, the cURL team has relied on external researchers to submit private bug reports, offering cash rewards for reports of significant vulnerabilities to encourage high-quality submissions.