The cURL project, known for its widely-used command-line tool and software library, has announced the termination of its bug bounty program. This decision comes after a significant increase in low-quality, AI-generated vulnerability reports that have overwhelmed the project's security team.
In a recent GitHub advisory, cURL's lead developer, Daniel Stenberg, stated that the program would conclude at the end of January 2026. He emphasized that the project would no longer offer rewards for reported bugs or vulnerabilities and would not assist security researchers in obtaining such rewards from other sources. (bleepingcomputer.com)
Stenberg highlighted the challenges posed by the influx of AI-generated reports, noting that while some submissions identified genuine issues, many were either irrelevant or minimally researched. This surge has placed a substantial burden on the security team, prompting the decision to discontinue the program to "reduce the noise" and focus on legitimate security concerns. (theregister.com)
Starting February 2026, cURL will transition to accepting bug reports directly through GitHub, without offering financial incentives. Stenberg expressed hope that this change would encourage well-researched reports of actual vulnerabilities, even without payment. (bleepingcomputer.com)
The move reflects a broader trend in the open-source community, where projects are grappling with the impact of AI-generated content on their operations. Maintainers are seeking ways to balance the benefits of AI-assisted research with the need to maintain the quality and reliability of their projects. (webpronews.com)
For more information, you can refer to the official cURL GitHub repository and the project's security documentation.