curl ends HackerOne bug bounty after surge of AI reports
🔒 The curl project will end its HackerOne bug bounty program after being overwhelmed by a surge of low-quality, apparently AI-generated vulnerability reports that strained the small security team and harmed maintainers' wellbeing. Founder Daniel Stenberg said the torrent of AI slop submissions created a high triage burden. The project will accept HackerOne reports through January 31, 2026, then move to direct reporting via GitHub with no monetary rewards.
