Curl Creator Mulls Nixing Bug Bounty Awards To Stop AI Slop

Daniel Stenberg, creator of the curl utility, is considering ending its bug bounty program due to a surge in low-quality, AI-generated reports that are overwhelming the small volunteer team. Despite attempts to discourage AI-assisted submissions, these reports now make up about 20% of all entries in 2025, while genuine vulnerabilities have dropped to just 5%. The Register reports: "The general trend so far in 2025 has been way more AI slop than ever before (about 20 percent of all submissions) as we have averaged about two security report submissions per week," he wrote in a blog post on Monday. "In early July, about 5 percent of the submissions in 2025 had turned out to be genuine vulnerabilities. The valid-rate has decreased significantly compared to previous years."

The situation has prompted Stenberg to reevaluate whether to continue curl's bug bounty program, which he says has paid out more than $90,000 for 81 awards since its inception in 2019. He said he expects to spend the rest of the year mulling possible responses to the rising tide of AI refuse. Presently, the curl bug bounty program -- outsourced to HackerOne - requires the bug reporter to disclose the use of generative AI. It does not entirely ban AI-assisted submissions, but does discourage them. "You should check and double-check all facts and claims any AI told you before you pass on such reports to us," the program's policy explains. "You are normally much better off avoiding AI."

Two bug submissions per week on average may not seem like a lot, but the curl security team consists of only seven members. As Stenberg explains, three or four reviewers review each submission, a process that takes anywhere from 30 minutes to three hours. "I personally spend an insane amount of time on curl already, wasting three hours still leaves time for other things," Stenberg lamented. "My fellows however are not full time on curl. They might only have three hours per week for curl. Not to mention the emotional toll it takes to deal with these mind-numbing stupidities." [...]

Stenberg says it's not clear what HackerOne should do to reduce reckless use of AI, but insists something needs to be done. His post ponders charging a fee to submit a report or dropping the bug bounty award, while also expressing reservations about both potential remedies. "As a lot of these reporters seem to genuinely think they help out, apparently blatantly tricked by the marketing of the AI hype-machines, it is not certain that removing the money from the table is going to completely stop the flood," he concludes.

This is why

[quonset]

We can't have nice things. For all the benefits AI might enable, the overwhelming crush of usless drivel negates those benefits.

Re:

[dinfinity]

Except that only 20% of all submissions were AI, as per TFS. Let's assume they were all nonsense; that means that 75% of the reports were false and 'generated' without AI.

Seems to me that AI isn't the biggest problem here (although it might become it in the future). Remember that there is absolutely nothing to gain from submitting a false report.

Re: This is why

[ToasterMonkey]

The overwhelming crush of two bug reports a week for a critical piece of software used on nearly every server anywhere? I understand it's a volunteer project, but keep it in perspective.

This isn't even a tech problem, it's a damned contest and not enough volunteers problem. Charge an entry fee, FFS, a deposit. How about farm it out to the community, validate a winning entry and you get part of the winnings. We do this on Slashdot for free, now split part of the bounty with the moderators.

That's all before t

Re:

[GoTeam]

We can't have nice things. For all the benefits AI might enable, the overwhelming crush of usless drivel negates those benefits.

To be fair, we are talking about the same species that brought us the spice girls and beanie babies... we don't deserve nice things...

Re:

[lucifuge31337]

Wow, it's so brave to have an edgy opinion like "I don't like things that are or were popular."

Re:

[GoTeam]

Wow, it's so brave to have an edgy opinion like "I don't like things that are or were popular."

Thanks for noticing!

Low quality bug reports

[madbrain]

Should be pushed back on, whether AI or human generated. At least with a human, you can more meaningfully engage. If someone is blindly mass filing bugs from static analysis tools, without being able to evaluate any of the impact, that would get push back, for example, since those tools have such a high rate of false positives.
It sounds like it's the same with AI.
Someone is prompting the AI to file these reports, though. The buck should stop with them.

I don't think ending the bounty program will have much

Re:

[tlhIngan]

The problem with AI bug reports is that it consumes resources. Even if it's asking for more details, it's still someone having to read the slop, understand it, and then asking questions which consume a lot of time.

And most AI slop bug reports basically have that question shoved back into the AI to generate a response, so it can go back and forth multiple times without much improvement.

All this wastes developer time and resources who have to go through the bugs reported manually but the person using AI to re

Re:

[The-Ixian]

Is the solution more AI?

Perhaps all submissions should be screened by an AI first before they are even allowed to proceed to the next step.

Or, make a priority channel that requires some amount of vetting and standing in order to create new submissions?

I am just spitballing here. If it was me, I would just take a look at the report, see that it is some verbose AI slop and hit the delete button, sight unseen. I guess that's why I am not the maintainer of a big project though...

Re:

[karmawarrior]

The same AI that gives wrong answers 50% of the time whenever I google for something? The same AI that is generating legal reports with references to hallucinated cases? The same AI that professors are using to screen out AI generated essays that infamously produces as many false positives as false negatives?

The same AI that's generating slop bug reports, which is that this article is about?

Why would you trust it for a minute "screening" bug reports?

Re:

[The-Ixian]

I think that I would have a higher level of trust that a LLM could be trained to identify bogus submissions. At the very least, it could assign a weighted score.

I guess that I am just saying that we used to have nice clean inboxes before there was incentive to send out tons of computer-generated garbage via e-mail. Today, spam is worse than it ever was, but we mostly have a handle on detecting it.

There will always be a cat and mouse game of escalations, but we shouldn't let perfect be the enemy of good enou

hate me..

[Idimmu Xul]

The real issue here isnt just AI noise, it's contextless identity.

Anyone with a ChatGPT prompt and a HackerOne login can throw slop at Daniel Stenbergs inbox.

Theres no way to filter for intent, effort, or history. Thats the problem we need to solve and maybe its finally time for a web3 reputation layer for the internet.

Let users link their identity across systems (GitHub, Stack Overflow, bug trackers, etc.) to a Web3 address

Generate a reputation profile: merged PRs, accepted bug reports, Karma, vouches, pri

Re: hate me..

[aurasdoom]

Cool, now, tell me, how do you prevent somebody or services spamming you with negative reputation?

Or people buying positive reputation?

You just invented new problems.

Re:

[jythie]

Just look a the rings of junk academic citations. Such systems tend to be little barrier to bad actors, but can make it harder for good ones to participate.

Re:

[virtig01]

Cool, now, tell me, how do you prevent somebody or services spamming you with negative reputation?

Or people buying positive reputation?

You just invented new problems.

You just said it: buying reputation. By adding cost to the system, a hurdle has been added to weed out a significant portion of bad actors, because spamming then costs money.

The reason phone scams took off in the 1990s is because the cost to make calls dropped to basically zero. And numbers are easily spoofed, so verification isn't easy.

With an identity that can't be spoofed, and takes time to become valuable, a lot of the low-end spam would disappear. Either because the spammers would need to spend years d

Re:

[coofercat]

It strikes me that HackerOne have a duty of care here. I may be misunderstanding, but it looks like the workflow is:

1) Create dumabsss bug report using ChatGPT
2) Create HackerOne account
3) File bug report against Curl

In which case, HackerOne needs to start vetting accounts a bit more carefully. The social media companies all do this (with varying success). That is, if you lose your "social score", then you can shout into the ether all you like, but your friends won't see it unless they actively search for i

Re:

[lucifuge31337]

I dunno, just a thought: trying to solve AI slop with "Web3" reputation nonsense it unworkable on its face. The solution to this isn't technological. It's financial.

Re:

[Anonymous Coward]

You're an idiot.

Look at the curl homepage and you can see it is keeping up with changes to standards and protocols. TLS 1.3, DNS-over-HTTPS, AWS Sigv4, HTTP 2, HTTP 3, WSS, etc.

Re:

[Entrope]

Sure but Slashdot has previously covered [slashdot.org] the fact that curl's developers are writing off [slashdot.org] security bug reports, including about stream dependency cycles in the HTTP/3 protocol stack [slashdot.org]. It may be adding features but losing security!

(I don't actually think curl has bad security. Mostly I am just tired of reading about the same dude making yet another minor variation on his same complaint, without Slashdot acknowledging that the basic story is a repeat of something that it has covered at least three times befo

Re:

[karmawarrior]

Leaving aside the fact protocols change and curl needs to keep up with them, the bug reports that are being filed against it are for alleged bugs. Hence the word "bugs" in the term "bug reports" or "bug bounty".

Individuals or orgs?

[fuzzyfuzzyfungus]

It would be interesting, and possibly useful, to know how these reports break down in terms of affiliation and motivation.

It's obviously a problem regardless; but, in terms of behavioral change, it seems likely that the well meaning but confused would have different incentives than someone taking advantage of the speed with which a bad bug report can be automated to spam everyone who has a bounty program of some kind in the hopes of getting lucky; someone in over their head and attempting to farm cred as

Clearly

[cen1]

We need to deploy AI reviewers to review AI generated reports.

Simple

[cascadingstylesheet]

Just have "AI" screen the incoming bug reports! :D (for the humor impaired, that was sarcasm)

Put in a $1 filing fee for bugreports

[kzanol]

That should create a hurdle for AI slop as it's no longer free to just submit any unfiltered AI hallucinations while still keeping the barrier low for actual entries.

The whole computing industry is fucked

[xack]

They over employed people then laid them all off, meaning there is a huge amount of people using any advantage to get either money or a bullet point on their resumes. Meanwhile despite 4 trillion market caps the world is still full of poverty and unemployment and people are becoming Nazis again because of it. There's going to be a revolution, all companies and governments are responsible for this clusterfuck, AI is just another excuse for shitty human behaviour. It's not just Curl, all software is flooded

Charging a nominal fee is the way to go

[brunes69]

Charge a $50 fee to submit a report, a fee that is refunded if the report was found to either be

a) A real bug
b) A non-issue, but it was non-obvious and obviously was found in good faith by a human who spent a lot of time researching it

This is not a real gate. Anyone who finds a real issue in Curl will not have a hard time gathering that $50.

Re:

[vyvepe]

This. Though, I would charge about $10 and it would not be refundable. No need to bother with decision making whether it should be refunded or not. I would keep bug bounties. If the report was very good then it may deserve a reward.

Re:

[brunes69]

They money needs to be high enough that it is offsetting the cost of the wasted time. If they are truly wasting 30 minutes per issue, $10 isnt enough.

Re:

[bad-badtz-maru]

Good idea and I suspect even a $1 fee would solve the issue.

Re:

[vyvepe]

$1 is too low. Transaction fees are around $ 0.2 - 0.3. Transaction fees (in addition to additional decision making whether to refund) are also the reason it should not be refunded.

Not just AI...

[Junta]

Note that he describes only 5% of submissions as legitimate security issues and only 20% as AI slop, leaving still 75% of the submissions human slop.

Curl has long been one of the projects unafraid to highlight the mess of the "security research" ecosystem. Very good and solid work is drowned out by people fishing for vulnerabilities to pad their resume. A lot of bogus stuff gets CVEs, and even if by some chance MITRE is surprisingly stingy with giving a CVE, there are third party companies that will issue

Charge an entry fee

[dskoll]

If they charged $20 to enter the bug bounty, with the entrance fee being refunded if the bug proved real and retained if not, that might cut down AI submissions quite a bit... just don't even let them be created until a credit card payment has successfully been processed.

Some bugs are entertaining

[allo]

I really liked the bug report in which someone reported local file access via the file:// protocol. I hope they fixed it ASAP!

Here is a great example.

[Random361]

Sure! Here's a completely absurd and over-the-top fake bug report for the `curl` utility:

---

**Title:** `curl` Downloads Entire Internet Instead of Single File, Achieves Sentience Midway

**Submitted By:** ZaphodB42
**Date:** 2025-07-16
**Version Affected:** curl 7.88.0-dev (compiled with experimental quantum flags)

---

### **Bug Description:**

Attempted to use `curl` to download a single `.jpg` file from a personal server. Instead, `curl` downloaded the entire internet—including, somehow, future versions of

Curl is an important tool

[mustafap]

Curl really needs support, it is a very important tool for developers and pen testers