Open-source project overwhelmed by AI-generated noise

The developers behind curl, the ubiquitous command-line tool for transferring data, have made a tough decision - they're ending their bug bounty program effective January 2026. The reason? An unmanageable flood of what they call "AI Slop" - artificially generated vulnerability reports that look polished but lack substance.

When quantity drowns quality

Founder Daniel Stenberg didn't mince words describing the problem: "These reports may sound technical and professional, but when you dig in, there's nothing there." The small maintenance team found themselves buried under submissions - seven invalid reports in just 16 hours, totaling 20 since New Year's Day.

"It's become a mental health issue," Stenberg admitted. "Every notification could be another hour wasted chasing ghosts."

New reporting rules take effect

Starting February 1:

• No more cash rewards for reported bugs
• Third-party compensation assistance ends
• All security issues must go through GitHub The project has even updated its security.txt file with a blunt warning: submit garbage reports risk getting banned - or becoming internet meme material.

Why this matters beyond curl

The situation highlights growing pains as AI tools lower the barrier to entry in technical fields. While democratizing knowledge sounds positive, the curl team's experience shows how easily good intentions can backfire when systems aren't designed to filter signal from noise.

"We want real researchers to keep contributing," Stenberg emphasized. "But we can't let automated junk discourage them - or burn out our volunteers."

Key Points:

• curl ends HackerOne bounty program due to AI-generated spam reports
• Team received 20 invalid submissions in January alone
• New policy routes all bugs through GitHub, offers no financial rewards
• Project warns about potential public shaming for spammers
• Decision reflects broader challenges of AI-generated content flooding technical communities