The developer of the popular curl command-line utility and library announced that the project will end its HackerOne security bug bounty program at the end of this month, after being overwhelmed by low-quality AI-generated vulnerability reports.
The change was first discovered in a pending commit to curl's BUG-BOUNTY.md documentation, which removes all references to the HackerOne program.
Once merged, the file will be updated to state that the curl project no longer offers any rewards for reported bugs or vulnerabilities and will not help researchers obtain compensation from third parties either.
"Up until the end of January 2026 there was a curl bug bounty. It is no more. The curl project no longer offers any rewards for reported bugs or vulnerabilities. We also do not aid security researchers to get such rewards for curl problems from other sources either," reads the upcoming update.
curl is a command-line utility that allows you to transfer data over various protocols, most commonly used to connect to websites. An associated libcurl library enables developers to incorporate curl into their applications for easy file transfer support.
Since 2019, its bug bounty program has been run through HackerOne and the Internet Bug Bounty, offering cash rewards for responsibly disclosed security vulnerabilities in curl and libcurl.
Daniel Stenberg, curl's founder and lead developer, says the program has seen a large increase in low-effort and invalid reports, many of which appear to be AI-generated slop.
AI slop is the growing flood of low-effort, AI-generated content that sounds good but doesn't actually contain anything useful or productive.
In a recent post to his personal mailing list, Stenberg explains that these low-quality reports are straining the curl security team, leading him to withdraw from the program.
"We started out the week receiving seven Hackerone issues within a sixteen hour period. Some of them were true and proper bugs, and taking care of this lot took a good while. Eventually we concluded that none of them identified a vulnerability and we now count twenty submissions done already in 2026," explained Stenberg.
... continue reading