Curl 因湧入大量 AI 生成的垃圾報告而終止漏洞賞金計畫

Zendesk ticket systems hijacked in massive global spam wave

Hackers breach Fortinet FortiGate devices, steal firewall configs

Fake Lastpass emails pose as password vault backup alerts

Hackers exploit 29 zero-days on second day of Pwn2Own Automotive

This $35 Swifdoo PDF editor license lasts for life

Curl ending bug bounty program after flood of AI slop reports

SmarterMail auth bypass flaw now exploited to hijack admin accounts

Microsoft Teams to add brand impersonation warnings to calls

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

eLearning

IT Certification Courses

Gear + Gadgets

Security

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Curl ending bug bounty program after flood of AI slop reports

The developer of the popular curl command-line utility and library announced that the project will end its HackerOne security bug bounty program at the end of this month, after being overwhelmed by low-quality AI-generated vulnerability reports.

The change was first discovered in a pending commit to curl's BUG-BOUNTY.md documentation, which removes all references to the HackerOne program.

Once merged, the file will be updated to state that the curl project no longer offers any rewards for reported bugs or vulnerabilities and will not help researchers obtain compensation from third parties either.

"Up until the end of January 2026 there was a curl bug bounty. It is no more. The curl project no longer offers any rewards for reported bugs or vulnerabilities. We also do not aid security researchers to get such rewards for curl problems from other sources either," reads the upcoming update.

curl is a command-line utility that allows you to transfer data over various protocols, most commonly used to connect to websites. An associated libcurl library enables developers to incorporate curl into their applications for easy file transfer support.

Since 2019, its bug bounty program has been run through HackerOne and the Internet Bug Bounty, offering cash rewards for responsibly disclosed security vulnerabilities in curl and libcurl.

Daniel Stenberg, curl's founder and lead developer, says the program has seen a large increase in low-effort and invalid reports, many of which appear to be AI-generated slop.

AI slop is the growing flood of low-effort, AI-generated content that sounds good but doesn't actually contain anything useful or productive.

In a recent post to his personal mailing list, Stenberg explains that these low-quality reports are straining the curl security team, leading him to withdraw from the program.

"We started out the week receiving seven Hackerone issues within a sixteen hour period. Some of them were true and proper bugs, and taking care of this lot took a good while. Eventually we concluded that none of them identified a vulnerability and we now count twenty submissions done already in 2026," explained Stenberg.

"The main goal with shutting down the bounty is to remove the incentive for people to submit crap and non-well researched reports to us. AI generated or not. The current torrent of submissions put a high load on the curl security team and this is an attempt to reduce the noise," continued his post.

In comments on the pull request, Stenberg said that withdrawing from HackerOne may not stop the flood of junk reports. However, he said that curl is a small open-source project with a limited number of active maintainers, and that, to ensure its survival and protect developers' mental health, he needed to take this action.

Stenberg has also shared examples of what he considers AI slop reports and said he has seen a steep rise in security submissions at curl compared to other open-source projects.

"We seem to have data that confirms that the #curl bug-bounty has received a steep increased submission rate through 2025, while several other Open Source programs also hosted on Hackerone have not," Stenberg posted to Mastodon.

The switch from HackerOne's bug bounty program to an internal submission process will happen in stages.

Stenberg says the curl project will accept HackerOne submissions until January 31, 2026, and that any reports in progress at that time will continue to be processed.

Starting February 1, 2026, the project will no longer accept new HackerOne submissions and will instead ask researchers to report security issues directly through GitHub.

Curl's new stance is also reflected in a recent update to its security.txt file, which states that the project offers no monetary compensation for reported vulnerabilities and warns that people who submit "crap" reports will be banned and ridiculed publicly.

Stenberg says he will publish a blog post next week with more details about this upcoming change.

Secrets Security Cheat Sheet: From Sprawl to Control

Whether you're cleaning up old keys or setting guardrails for AI-generated code, this guide helps your team build securely from the start.

Get the cheat sheet and take the guesswork out of secrets management.

Related Articles:

Chainlit AI framework bugs let hackers breach cloud environments

SmarterMail auth bypass flaw now exploited to hijack admin accounts

Microsoft updates Notepad and Paint with more AI features

Cisco fixes Unified Communications RCE zero day exploited in attacks

GitLab warns of high-severity 2FA bypass, denial-of-service flaws

Not a member yet? Register Now

You may also like:

Fortinet admins report patched FortiGate firewalls getting hacked

Ingram Micro says ransomware attack affected 42,000 people

Tesla hacked, 37 zero-days demoed at Pwn2Own Automotive 2026

Overdue a password health-check? Audit your Active Directory for free

Discover how phishing kits are sold and deployed. Download the full research report.

Identity Governance & Threat Detection in one: Get a guided tour of our platform

Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure

Copyright @ 2003 - 2026 Bleeping Computer® LLC - All Rights Reserved

Not a member yet? Register Now

Read our posting guidelinese to learn what content is prohibited.