Jeff Bruchado
Back to blog

cURL Project Ends Bug Bounty After Wave of AI-Generated Spam

Hello HaWkers, one of the most fundamental tools of the modern internet just made a drastic decision. Daniel Stenberg, creator and maintainer of cURL, announced the end of the project's bug bounty program after a wave of low-quality submissions clearly generated by AI tools.

This case illustrates a growing problem affecting open source projects worldwide.

What Happened

Daniel Stenberg's Announcement

In a post on his blog, Stenberg explained the reasons behind the decision.

Quote from announcement:

"We are ending our bug bounty program after years of success because noise now exceeds signal. Most recent submissions are clearly AI-generated, describe vulnerabilities that don't exist, and consume precious volunteer time to evaluate."

Revealed numbers:

  • 400% increase in submissions in the last year
  • Over 80% of recent submissions were invalid
  • Average time to evaluate each report: 30-60 minutes
  • Only 2-3% resulted in actual fixes

The AI Spam Problem

How the Abuse Works

The abuse pattern identified by cURL is common in other bug bounty programs.

Typical abuser flow:

  1. Takes public source code from the project
  2. Feeds it to AI tool with prompt like "find vulnerabilities"
  3. AI generates report that looks professional but is superficial
  4. Submits dozens of reports hoping some will be valid
  5. Repeats across hundreds of projects simultaneously

Characteristics of AI-generated reports:

  • Excessively formal and generic language
  • References to CVEs that don't apply to the context
  • "Vulnerabilities" that don't exist in the code
  • Lack of functional Proof of Concept
  • Inability to answer follow-up questions

Examples of False Positives

Stenberg shared some anonymized examples of invalid reports.

Example 1 - Non-existent buffer overflow:

"We identified a critical buffer overflow in function X when input larger than Y bytes is processed..."

Reality: The function checks input size in the first lines. The reporter clearly didn't read the code.

Example 2 - SQL Injection in project without SQL:

"SQL injection vulnerability detected in endpoint Z allowing data exfiltration..."

Reality: cURL doesn't use SQL database. The report was probably generated by a generic template.

Example 3 - Inapplicable CVE:

"This project is vulnerable to CVE-2024-XXXXX as demonstrated in similar projects..."

Reality: The referenced CVE affects a completely different library that cURL never used.

Impact on Open Source

The Cost of Noise

Open source projects operate with limited resources, and security report spam has real cost.

Resources consumed:

  • Maintainer time: Hours evaluating false reports
  • Emotional energy: Frustration with wasted work
  • Opportunity: Time not spent on real improvements
  • Risk: Real reports may be ignored in the noise

Psychological impact:

Many maintainers already report burnout for other reasons. Adding security report spam aggravates the problem and can lead to project abandonment.

Other Affected Projects

cURL is not the only project facing this problem.

Projects that reported similar issues:

  • Linux kernel (reports via Bugzilla)
  • Apache Foundation (multiple projects)
  • Mozilla (Firefox and Thunderbird)
  • Kubernetes (security reports)
  • Various projects on HackerOne

Industry response:

Some bug bounty platforms are implementing AI filters to detect AI-generated reports. The irony of using AI to filter AI spam doesn't go unnoticed.

The Two Sides of AI in Security

The Positive Side

It's important to recognize that AI can and should be used in software security legitimately.

Valid uses of AI in security:

  1. Static analysis: Tools like CodeQL use ML to detect patterns
  2. Smart fuzzing: Automatic generation of test inputs
  3. Code review: Assist (not replace) human review
  4. Documentation: Help write clearer reports
  5. Triage: Prioritize reports for human analysis

The crucial difference:

AI as a tool to assist qualified researchers is completely different from AI replacing research work.

The Problematic Side

The problem arises when AI is used to generate volume without quality.

Misaligned incentives:

  • Bug bounties pay per valid report
  • AI allows generating many reports quickly
  • Cost of submitting is almost zero
  • Evaluation consumes significant resources

Result: Tragedy of the commons where the shared resource (maintainer time) is depleted.

Possible Solutions

What Projects Can Do

There are strategies to mitigate the problem without eliminating bug bounties entirely.

Quality filters:

  1. Mandatory Proof of Concept: Report without functional PoC is automatically rejected
  2. Technical questionnaire: Questions AI can't answer
  3. Reporter reputation: History of valid submissions
  4. Submission rate: Limit number of reports per period

Identity verification:

  • Require GitHub account with real history
  • Identity verification for payments
  • Blacklist of known abusers

Incentive adjustment:

  • Pay only after complete validation
  • Penalties for repeated invalid reports
  • Bonus for high-quality reports

What Platforms Can Do

HackerOne, Bugcrowd, and other platforms have an important role.

Suggested measures:

  • Automatic detection of AI-generated reports
  • Quality score based on history
  • Prior review by platform specialists
  • Education of researchers on ethical AI use

Lessons for Developers

If You Work With Security

For security professionals, there are important lessons.

Best practices:

  1. Use AI as assistant, not substitute: AI can help identify areas to investigate, but research should be yours
  2. Always validate manually: Never submit something you haven't personally tested
  3. Understand the code: Read source code before reporting
  4. Provide complete PoC: Demonstrate vulnerability reproducibly
  5. Be specific: Avoid generic template language

What not to do:

  • Submit mass reports hoping some will be valid
  • Use AI outputs without verification
  • Report without understanding project context
  • Prioritize quantity over quality

If You Maintain Open Source Projects

For maintainers, some recommendations.

Project protection:

  1. Define clear criteria: What constitutes a valid report
  2. Mandatory template: Force specific information
  3. Automatic triage: Reject obviously invalid reports
  4. Community: Delegate triage to trusted contributors
  5. Documentation: Maintain clear security policy

Conclusion

The end of cURL's bug bounty is a symptom of a larger problem: the misuse of AI to generate low-quality content at scale. While AI tools can and should assist security researchers, their use to substitute qualified work harms the entire ecosystem.

Key points:

  1. cURL ended bug bounty due to AI-generated report spam
  2. Over 80% of recent submissions were invalid
  3. The problem affects open source projects worldwide
  4. AI should be used as a tool, not substitute for expertise
  5. Solutions involve better filtering and incentive adjustment

For the security community, the message is clear: quality matters more than quantity. Superficial AI-generated reports not only don't help - they actively harm the software security ecosystem.

For more on AI and its impact on development, read: San Diego Comic-Con Bans AI-Created Works from Art Exhibition.

Let's go! 🦅

Comments (0)

This article has no comments yet 😢. Be the first! 🚀🦅

Add comments