URGENT UPDATE: The developers of Curl, the widely-used open-source command-line tool, have just announced the termination of their bug bounty program on HackerOne due to an overwhelming influx of fake vulnerability reports. Effective from February 2026, bug reports will be redirected to GitHub without any financial rewards.
This significant decision comes as Curl’s security team has been inundated with low-quality submissions, many generated by Generative AI. In a candid statement on GitHub, the Curl team expressed their frustration, stating, “We have concluded the hard way that a bug bounty gives people too strong incentives to find and make up ‘problems’ in bad faith that cause overload and abuse.”
According to Daniel Stenberg, Curl’s founder and lead developer, the situation has worsened recently. He noted, “We started out the week receiving seven HackerOne issues within a sixteen-hour period. Some of them were true and proper bugs, but we concluded that none of them identified a vulnerability.” Stenberg emphasized that the primary goal of shutting down the bounty is to eliminate the incentive for submissions lacking rigorous research and validity.
In light of these developments, all future bug reports will be processed through GitHub starting in February 2026, as the Curl team aims to streamline the process and reduce the noise generated by unqualified reports.
The Curl project remains committed to valuing legitimate vulnerability reports, but the surge of AI-generated submissions has strained their resources significantly. As Stenberg pointed out, “The current torrent of submissions put a high load on the Curl security team, and this is an attempt to reduce the noise.”
This change mirrors broader trends in the cybersecurity landscape, where companies are grappling with the implications of AI on software security. Notably, Microsoft is expanding its bug bounty programs even for applications without official payouts, highlighting a growing concern about AI-generated vulnerabilities.
This move by Curl raises important questions about the future of bug bounty programs in an era increasingly influenced by AI. As researchers turn to automated tools, the integrity of vulnerability reporting may face new challenges.
As the situation continues to evolve, stakeholders in the tech community are watching closely to see how these changes affect both security practices and the overall health of open-source projects. For now, developers and researchers will no longer receive financial incentives for reporting bugs in Curl, shifting the focus back to genuine contributions.
Stay tuned for more updates on this developing story as the tech industry adapts to these significant changes in vulnerability reporting.
