cURL Project Ends Bug Bounty Program Due to AI-Generated Slop Reports
Published 2026-01-14Ingested 2026-04-07AI Regulation and GovernanceMedium
Summary
The cURL open source project, one of the most widely used software libraries for data transfer, has ended its bug bounty program due to being overwhelmed by low-quality, AI-generated vulnerability reports. The project, maintained by Daniel Stenberg, found that the volume of fabricated or nonsensical security reports generated by large language models made it untenable to continue the bounty program, as maintainers were spending excessive time triaging worthless submissions rather than addressing
Alignment: New signal not yet covered
Related Positions: ai-governance-and-risk.md, ai-assisted-development-tooling.md
ai-slopbug-bountycurlopen-source-securityai-generated-contentvulnerability-reportingsoftware-supply-chainai-governancellm-abusesecurity-triage