- Curl ends HackerOne bug bounty due to fake and AI-generated vulnerability reports
- Developers say incentives led to abuse and overwhelmed the security team with invalid submissions
- From February 2026, bug reports will be moved to GitHub without financial rewards
The developers of curl, the open source command line tool and software library, are killing their HackerOne bug bounty program because they are being inundated with fake issues and vulnerabilities.
In a new advisory published on GitHub, it was said that the program will sunset at the end of January 2026.
“Until the end of January 2026, there was a curl error. It is no more,” the document reads. “The curl project no longer offers any rewards for reported bugs or vulnerabilities. We also do not help security researchers obtain such rewards for curl issues from other sources.”
Stresses the security team
The document then describes the state of the bug bounty program, which apparently did not serve its purpose:
“We’ve concluded the hard way that a bug bounty gives people too strong incentives to find and make up bad faith ‘issues’ that cause overload and abuse. We value and still value valid vulnerability reports.”
Quoting curl’s founder and lead developer, Daniel Stenberg, Bleeping Computer reported that the problem is that “researchers” are using Generative Artificial Intelligence (GenAI) to create “AI slop” reports.
The same source says Stenberg recently emailed his followers explaining how these bad reports are hurting the security team:
“We started the week off receiving seven HackerOne issues within a 16-hour period. Some of them were true and correct bugs, and it took quite a while to take care of this item. In the end, we concluded that none of them identified a vulnerability, and we now count twenty submissions already done in 2026,” Stenberg said.
“The main goal of shutting down the bounty is to remove the incentive for people to submit crap and unresearched reports to us. AI generated or not. The current flow of submissions is putting a heavy load on the curl security team and this is an attempt to reduce the noise.”
From February 2026, all bug reports will go directly through GitHub and will not be paid for.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
