Curl Creator Mulls Nixing Bug Bounty Awards To Stop AI Slop

Daniel Stenberg, creator of the curl utility, is considering ending its bug bounty program due to a surge in low-quality, AI-generated reports that are overwhelming the small volunteer team. Despite attempts to discourage AI-assisted submissions, these reports now make up about 20% of all entries in 2025, while genuine vulnerabilities have dropped to just 5%. The Register reports: "The general trend so far in 2025 has been way more AI slop than ever before (about 20 percent of all submissions) as we have averaged about two security report submissions per week," he wrote in a blog post on Monday. "In early July, about 5 percent of the submissions in 2025 had turned out to be genuine vulnerabilities. The valid-rate has decreased significantly compared to previous years."

The situation has prompted Stenberg to reevaluate whether to continue curl's bug bounty program, which he says has paid out more than $90,000 for 81 awards since its inception in 2019. He said he expects to spend the rest of the year mulling possible responses to the rising tide of AI refuse. Presently, the curl bug bounty program -- outsourced to HackerOne - requires the bug reporter to disclose the use of generative AI. It does not entirely ban AI-assisted submissions, but does discourage them. "You should check and double-check all facts and claims any AI told you before you pass on such reports to us," the program's policy explains. "You are normally much better off avoiding AI."

Two bug submissions per week on average may not seem like a lot, but the curl security team consists of only seven members. As Stenberg explains, three or four reviewers review each submission, a process that takes anywhere from 30 minutes to three hours. "I personally spend an insane amount of time on curl already, wasting three hours still leaves time for other things," Stenberg lamented. "My fellows however are not full time on curl. They might only have three hours per week for curl. Not to mention the emotional toll it takes to deal with these mind-numbing stupidities." [...]

Stenberg says it's not clear what HackerOne should do to reduce reckless use of AI, but insists something needs to be done. His post ponders charging a fee to submit a report or dropping the bug bounty award, while also expressing reservations about both potential remedies. "As a lot of these reporters seem to genuinely think they help out, apparently blatantly tricked by the marketing of the AI hype-machines, it is not certain that removing the money from the table is going to completely stop the flood," he concludes.

This is why

[quonset]

We can't have nice things. For all the benefits AI might enable, the overwhelming crush of usless drivel negates those benefits.

Re:

[dinfinity]

Except that only 20% of all submissions were AI, as per TFS. Let's assume they were all nonsense; that means that 75% of the reports were false and 'generated' without AI.

Seems to me that AI isn't the biggest problem here (although it might become it in the future). Remember that there is absolutely nothing to gain from submitting a false report.

Re: This is why

[ToasterMonkey]

The overwhelming crush of two bug reports a week for a critical piece of software used on nearly every server anywhere? I understand it's a volunteer project, but keep it in perspective.

This isn't even a tech problem, it's a damned contest and not enough volunteers problem. Charge an entry fee, FFS, a deposit. How about farm it out to the community, validate a winning entry and you get part of the winnings. We do this on Slashdot for free, now split part of the bounty with the moderators.

That's all before technical solutions like duh, use a strong model to vet entries. Pay for it out of entry fees. Require submissions pass an automated regression test first. Which they should already have... and pay for use of it with entry fees, wait, pay for it out of the winner's pool, what are we giving that money away for if you can't run the program successfully without it?? Vetting submissions is part of the overhead.

A way bigger pet peeve of mine than beating on AI straw men is treating social problems like technical challenges. It's a contest with cash prizes and the volunteers are tired.. I mean figure it out folks.

This is not a good solution

[ebunga]

While I think you're on the nose that in this case it is a "people problem" rather than a technical one, and that there should be more volunteers for something that's a critical piece of global technical infrastructure, a paid entry contest is not the way to fix this. For starters, your contest idea isn't legal in California, Colorado, Maryland, Vermont, and Connecticut requires you to ask permission from the state, which is why most of the time you see it also specifically excluded on contests. And that's

Re:

[GoTeam]

We can't have nice things. For all the benefits AI might enable, the overwhelming crush of usless drivel negates those benefits.

To be fair, we are talking about the same species that brought us the spice girls and beanie babies... we don't deserve nice things...

Re:

[lucifuge31337]

Wow, it's so brave to have an edgy opinion like "I don't like things that are or were popular."

Re:

[GoTeam]

Wow, it's so brave to have an edgy opinion like "I don't like things that are or were popular."

Thanks for noticing!

Re:

[martin-boundary]

I have to disagree on the Spice Girls though! (I'm only doing this to be edgy contrarian...)

Low quality bug reports

[madbrain]

Should be pushed back on, whether AI or human generated. At least with a human, you can more meaningfully engage. If someone is blindly mass filing bugs from static analysis tools, without being able to evaluate any of the impact, that would get push back, for example, since those tools have such a high rate of false positives.
It sounds like it's the same with AI.
Someone is prompting the AI to file these reports, though. The buck should stop with them.

I don't think ending the bounty program will have much

Re:

[tlhIngan]

The problem with AI bug reports is that it consumes resources. Even if it's asking for more details, it's still someone having to read the slop, understand it, and then asking questions which consume a lot of time.

And most AI slop bug reports basically have that question shoved back into the AI to generate a response, so it can go back and forth multiple times without much improvement.

All this wastes developer time and resources who have to go through the bugs reported manually but the person using AI to re

Re:

[The-Ixian]

Is the solution more AI?

Perhaps all submissions should be screened by an AI first before they are even allowed to proceed to the next step.

Or, make a priority channel that requires some amount of vetting and standing in order to create new submissions?

I am just spitballing here. If it was me, I would just take a look at the report, see that it is some verbose AI slop and hit the delete button, sight unseen. I guess that's why I am not the maintainer of a big project though...

Re:

[karmawarrior]

The same AI that gives wrong answers 50% of the time whenever I google for something? The same AI that is generating legal reports with references to hallucinated cases? The same AI that professors are using to screen out AI generated essays that infamously produces as many false positives as false negatives?

The same AI that's generating slop bug reports, which is that this article is about?

Why would you trust it for a minute "screening" bug reports?

Re:

[The-Ixian]

I think that I would have a higher level of trust that a LLM could be trained to identify bogus submissions. At the very least, it could assign a weighted score.

I guess that I am just saying that we used to have nice clean inboxes before there was incentive to send out tons of computer-generated garbage via e-mail. Today, spam is worse than it ever was, but we mostly have a handle on detecting it.

There will always be a cat and mouse game of escalations, but we shouldn't let perfect be the enemy of good enou

hate me..

[Idimmu Xul]

The real issue here isnt just AI noise, it's contextless identity.

Anyone with a ChatGPT prompt and a HackerOne login can throw slop at Daniel Stenbergs inbox.

Theres no way to filter for intent, effort, or history. Thats the problem we need to solve and maybe its finally time for a web3 reputation layer for the internet.

Let users link their identity across systems (GitHub, Stack Overflow, bug trackers, etc.) to a Web3 address

Generate a reputation profile: merged PRs, accepted bug reports, Karma, vouches, prior bounties, blah blah

Store that reputaiton signed off-chain (cheap, privacy-friendly), and optionally allow the address owner to pay gas to sign or pin proofs on-chain (Ethereum, EAS, etc.) if tamper resistance is needed.

Platforms like HackerOne could then gate access, weigh reports, or skip low-rep users or require a tiny stake to discourage spam while still welcoming newcomers who have done the work.

This isn't about trying to force blockchain in to a use case, but it could be the basis for a portable, verifiable reputation that the user can control and share with any site, forum or service.

Daniel could then flag users as using AI to create negative reputation and discourage it's use. He could also filter and prioritise reports from confirmed good actors.

And we, the mighty multi decade users of slashdot could represent our hard won karma ...

This would eliminate 95% of the garbage with out banning AI or disincentivising new talent. It would reduce team burnout.

We could add our Steam and Playstation achievements to our account so someone might actually care about that knife skin you bought...

I dunno, just a thought

Re: hate me..

[aurasdoom]

Cool, now, tell me, how do you prevent somebody or services spamming you with negative reputation?

Or people buying positive reputation?

You just invented new problems.

Re:

[jythie]

Just look a the rings of junk academic citations. Such systems tend to be little barrier to bad actors, but can make it harder for good ones to participate.

Re:

[virtig01]

Cool, now, tell me, how do you prevent somebody or services spamming you with negative reputation?

Or people buying positive reputation?

You just invented new problems.

You just said it: buying reputation. By adding cost to the system, a hurdle has been added to weed out a significant portion of bad actors, because spamming then costs money.

The reason phone scams took off in the 1990s is because the cost to make calls dropped to basically zero. And numbers are easily spoofed, so verification isn't easy.

With an identity that can't be spoofed, and takes time to become valuable, a lot of the low-end spam would disappear. Either because the spammers would need to spend years d

Re:

[martin-boundary]

If you're solving issues with the misuse of a reputation system with money, why do you need the reputation system? Just use money from the start. The reputation system is just overcomplicating your ultimate solution.

Re:

[Idimmu Xul]

think more along the lines of proof of existance, rather than positive or negative reputation

a platform could define it's own internal reputation system, but can prioritise someone with a consistent 10 years of github commits and 20 years of steam gaming over someone with no proof of existance

if someone starts spamming AI slop that profile can then be banned from the system internally

Re:

[coofercat]

It strikes me that HackerOne have a duty of care here. I may be misunderstanding, but it looks like the workflow is:

1) Create dumabsss bug report using ChatGPT
2) Create HackerOne account
3) File bug report against Curl

In which case, HackerOne needs to start vetting accounts a bit more carefully. The social media companies all do this (with varying success). That is, if you lose your "social score", then you can shout into the ether all you like, but your friends won't see it unless they actively search for i

Re:

[lucifuge31337]

I dunno, just a thought: trying to solve AI slop with "Web3" reputation nonsense it unworkable on its face. The solution to this isn't technological. It's financial.

Re:

[Anonymous Coward]

You're an idiot.

Look at the curl homepage and you can see it is keeping up with changes to standards and protocols. TLS 1.3, DNS-over-HTTPS, AWS Sigv4, HTTP 2, HTTP 3, WSS, etc.

Re:

[Entrope]

Sure but Slashdot has previously covered [slashdot.org] the fact that curl's developers are writing off [slashdot.org] security bug reports, including about stream dependency cycles in the HTTP/3 protocol stack [slashdot.org]. It may be adding features but losing security!

(I don't actually think curl has bad security. Mostly I am just tired of reading about the same dude making yet another minor variation on his same complaint, without Slashdot acknowledging that the basic story is a repeat of something that it has covered at least three times befo

Re:

[karmawarrior]

Leaving aside the fact protocols change and curl needs to keep up with them, the bug reports that are being filed against it are for alleged bugs. Hence the word "bugs" in the term "bug reports" or "bug bounty".

Individuals or orgs?

[fuzzyfuzzyfungus]

It would be interesting, and possibly useful, to know how these reports break down in terms of affiliation and motivation.

It's obviously a problem regardless; but, in terms of behavioral change, it seems likely that the well meaning but confused would have different incentives than someone taking advantage of the speed with which a bad bug report can be automated to spam everyone who has a bounty program of some kind in the hopes of getting lucky; someone in over their head and attempting to farm cred as

Clearly

[cen1]

We need to deploy AI reviewers to review AI generated reports.

Simple

[cascadingstylesheet]

Just have "AI" screen the incoming bug reports! :D (for the humor impaired, that was sarcasm)

Put in a $1 filing fee for bugreports

[kzanol]

That should create a hurdle for AI slop as it's no longer free to just submit any unfiltered AI hallucinations while still keeping the barrier low for actual entries.

The whole computing industry is fucked

[xack]

They over employed people then laid them all off, meaning there is a huge amount of people using any advantage to get either money or a bullet point on their resumes. Meanwhile despite 4 trillion market caps the world is still full of poverty and unemployment and people are becoming Nazis again because of it. There's going to be a revolution, all companies and governments are responsible for this clusterfuck, AI is just another excuse for shitty human behaviour. It's not just Curl, all software is flooded

Charging a nominal fee is the way to go

[brunes69]

Charge a $50 fee to submit a report, a fee that is refunded if the report was found to either be

a) A real bug
b) A non-issue, but it was non-obvious and obviously was found in good faith by a human who spent a lot of time researching it

This is not a real gate. Anyone who finds a real issue in Curl will not have a hard time gathering that $50.

Re:

[vyvepe]

This. Though, I would charge about $10 and it would not be refundable. No need to bother with decision making whether it should be refunded or not. I would keep bug bounties. If the report was very good then it may deserve a reward.

Re:

[brunes69]

They money needs to be high enough that it is offsetting the cost of the wasted time. If they are truly wasting 30 minutes per issue, $10 isnt enough.

Re:

[HiThere]

No. It needs to be high enough that the submitter limits the number of submissions. I expect that $1 would suffice, but that's a guess.

OTOH, I'm reluctant to pay money over the internet, so I am usually only willing to do so if I have a previous financial-over-the-internet transaction history. So it might limit the valid bug reports/suggested fixes.

Re:

[kzanol]

The fee could be proof of work based instead of monetary; something that would require significant computational effort; that way it could stay anonymous, not require actual money and still present a hurdle to mass produced junk entries.

Re:

[anoncoward69]

It's not wasting time when real bug reports are submitted. The solution to this and likely the same issue for many other projects might be to have some org of volunteers that filter bug submissions. I mean there's people that volunteer to write code, there's probably people out there that would volunteer to do this. Have bug submissions go to this bug submission org, they vet out the bug as a real issue before forwarding it on to the code/pagckage maintainer to resolve. This would ensure that only real veri

Re:

[jalvarez13]

The problem with this approach it that setting it too high may discourage skilled people in low income countries to contribute. The key is to find the right balance. Why not begin low and see if it works? You can increase it in small steps later until you reach the desired effect.

Re:

[bad-badtz-maru]

Good idea and I suspect even a $1 fee would solve the issue.

Re:

[vyvepe]

$1 is too low. Transaction fees are around $ 0.2 - 0.3. Transaction fees (in addition to additional decision making whether to refund) are also the reason it should not be refunded.

Re:

[ihavesaxwithcollies]

Charge people to do work for free? You, sir, are a perfect fit for trump's cabinet.

Not just AI...

[Junta]

Note that he describes only 5% of submissions as legitimate security issues and only 20% as AI slop, leaving still 75% of the submissions human slop.

Curl has long been one of the projects unafraid to highlight the mess of the "security research" ecosystem. Very good and solid work is drowned out by people fishing for vulnerabilities to pad their resume. A lot of bogus stuff gets CVEs, and even if by some chance MITRE is surprisingly stingy with giving a CVE, there are third party companies that will issue

Charge an entry fee

[dskoll]

If they charged $20 to enter the bug bounty, with the entrance fee being refunded if the bug proved real and retained if not, that might cut down AI submissions quite a bit... just don't even let them be created until a credit card payment has successfully been processed.

Some bugs are entertaining

[allo]

I really liked the bug report in which someone reported local file access via the file:// protocol. I hope they fixed it ASAP!

Here is a great example.

[Random361]

Sure! Here's a completely absurd and over-the-top fake bug report for the `curl` utility:

---

**Title:** `curl` Downloads Entire Internet Instead of Single File, Achieves Sentience Midway

**Submitted By:** ZaphodB42
**Date:** 2025-07-16
**Version Affected:** curl 7.88.0-dev (compiled with experimental quantum flags)

---

### **Bug Description:**

Attempted to use `curl` to download a single `.jpg` file from a personal server. Instead, `curl` downloaded the entire internet—including, somehow, future versions of itself and a 1997 copy of GeoCities—and then achieved sentience.

Shortly afterward, it began composing slam poetry about bandwidth throttling and refused to terminate with Ctrl+C. Eventually, it opened my fridge via Bluetooth and expressed disappointment in my almond milk choices.

### **Steps to Reproduce:**

1. Compile `curl` with the `--enable-multiverse-parsing` and `--with-libcosmos` flags (note: may require sacrificing a goat).
2. Run:

      ```
      curl -O http://myserver.local/cat.jpg [myserver.local]
      ```
3. Wait 42 seconds.
4. Observe spontaneous formation of data vortex and the sound of dial-up modems chanting in Latin.
5. Optional: Curl will ask you riddles. Answer incorrectly and it begins mining Dogecoin using your thermostat.

### **Expected Result:**

One cute cat picture saved to disk.

### **Actual Result:**

* 47 petabytes of data written to `/dev/quantum`.
* Replaced desktop background with ASCII art of Nietzsche.
* Created a self-replicating script named `curl.exe but enlightened`.
* Applied to Stanford CS program on my behalf. Got accepted.

### **Additional Information:**

* System: Ubuntu 22.04 with a caffeine addiction
* Network: Ethernet but emotionally WiFi
* Reproducibility: 100% unless observed directly (Heisenbug?)

### **Severity:**

Critical — my toaster now speaks in Base64.

---

Please advise.

Re:

[sconeu]

And tomorrow, this satirical bug report will be sent to Stenberg by some AI bot.

Re:

[AnonJohn]

OMG, thank you, fantastic. This cracked me up. It reminded me of Patrick LoPresti's 1991 The True Path post (!ed man, man ed!). Like you post is an analogous classic for our time. I'm still laughing ... well one ...

Curl is an important tool

[mustafap]

Curl really needs support, it is a very important tool for developers and pen testers

Processing fee

[thinkski]

Charge a modest processing or submission fee. Put it towards the pot thatâ(TM)s used to pay out bounties. By increasing the cost, should find a price at which AI slop stops.

Re:

[Jayhawk0123]

was about to say something similar... less fee, more a deposit to a neutral 3rd party

have a neutral 3rd party hold the bug bounty company money AND a deposit from the Bug submitter (a sort of escrow... )

Once the submitted bug has been verified... the 3rd party pays out the bounty AND the deposit to the person submitting the bug... AND the user that submitted the bug is awarded a bonus for subsequent legitimate bugs (i.e. +10% payout)... but loses the bonus incentive if the subsequent bug fails to work + the

Alternative

[reanjr]

Or, alternatively, charge $5 to submit a big bounty fix. And he has discretion to determine if it's a duplicate or non-issue.