cURL Ends Bug Bounty Program After Avalanche of AI-Generated Submissions
Hello HaWkers, Daniel Stenberg, creator and maintainer of cURL, announced the closure of the project's bug bounty program. The reason? An avalanche of AI-generated vulnerability reports that were consuming more team time than finding real bugs.
Let's understand what happened, the implications for the open-source ecosystem, and what this means for the future of security programs.
What Happened
Stenberg's Decision
Daniel Stenberg shared his frustration in a detailed post.
Stenberg quote:
"We are ending our bug bounty program. In recent months, more than 80% of submissions were clearly AI-generated - poorly written, factually incorrect, and consuming precious time from our small team to evaluate and reject."
Numbers that led to the decision:
| Period | Submissions | Valid | Validity Rate |
|---|---|---|---|
| 2023 | 47 | 31 | 66% |
| 2024 | 156 | 42 | 27% |
| 2025 | 412 | 23 | 5.6% |
| 2026 (Jan) | 87 | 2 | 2.3% |
Time spent on triage:
- 2023: ~20 hours/month
- 2024: ~60 hours/month
- 2025: ~120 hours/month
- 2026: "Unsustainable"
The Problem with AI Submissions
Characteristics of Problematic Reports
Stenberg described clear patterns in AI-generated reports.
Signs of AI-generated reports:
Generic and vague language
- "This code could potentially cause memory issues"
- "Function X may be vulnerable to Y attacks"
- Lack of specific technical details
Incorrect references
- Citation of CVEs that don't exist
- Mention of functions not in the codebase
- Line numbers that don't correspond
Lack of proof of concept
- No code demonstrating the exploit
- No reproduction steps
- Claims without evidence
Standardized formatting
- Identical structure between submissions
- Same section titles
- Same writing style
Impact on Open Source
The Burden on Maintainers
The cURL case illustrates a larger problem in the ecosystem.
Projects affected by AI submissions:
| Project | Submission Increase | AI Spam Rate |
|---|---|---|
| cURL | +776% | 80% |
| OpenSSL | +340% | 65% |
| Linux Kernel | +210% | 55% |
| FFmpeg | +420% | 70% |
| nginx | +280% | 60% |
Consequences for maintainers:
Accelerated burnout
- Time spent triaging garbage
- Less time for development
- Growing frustration
Delays in real bugs
- Legitimate bugs lost in noise
- Increased response time
- Impaired prioritization
Financial costs
- Bug bounty platforms charge fees
- Time = money (even volunteer)
- Diverted resources
Why This Is Happening
The Economic Incentive
The combination of accessible AI and bug bounty programs created a problem.
The vicious cycle:
1. Programs offer rewards ($50 - $50,000)
↓
2. People discover they can use AI to generate reports
↓
3. Submission cost: ~$0 (minimal time)
↓
4. Even with low success rate, potential profit > 0
↓
5. Submission volume explodes
↓
6. Maintainers overwhelmed
↓
7. Real bugs ignored or delayed
↓
8. Programs closed or restrictedSolutions Under Discussion
What Can Be Done
The community is debating various approaches.
1. Mandatory human verification:
Proposed requirements:
- Mandatory working proof of concept
- Demonstrated test environment
- Video or screencast of exploitation
- Real-time interaction with triager2. Reputation system:
- Track submission history
- Penalize low-quality reporters
- Reward consistent quality
- Access based on trust score
3. Submission fees:
| Researcher Type | Fee per Submission | Refund if Valid |
|---|---|---|
| New | $50 | 100% |
| Established | $25 | 100% |
| Verified | $0 | N/A |
4. AI detection:
- Pattern recognition for AI-generated text
- Verification that referenced code exists
- Cross-reference with known AI outputs
- Human review for flagged submissions
The Future of Open Source Security
Emerging Alternatives
With traditional bug bounties in crisis, new approaches emerge.
1. Sponsored audits:
- Companies depending on project fund professional audits
- Specialized teams analyze code
- Detailed, high-quality reports
2. Closed programs:
- Invite-only access
- Pre-verified researchers
- Long-term relationship
- Quality over quantity
3. Security funds:
- Companies contribute to collective fund
- Fund finances security for critical projects
- Distribution based on importance and risk
4. AI for defense:
If attackers use AI, defenders can too.
- AI-assisted static analysis
- Intelligent fuzzing
- Proactive vulnerability discovery
What Developers Can Do
Practical Actions
If you work with security or open-source.
If you're a maintainer:
- Establish clear submission requirements
- Require working PoC
- Implement cooldown period for reporters
- Consider invite-only programs
- Document AI report patterns
If you're a security researcher:
- Invest in quality, not quantity
- Build reputation with genuine work
- Always provide detailed PoC
- Communicate clearly with maintainers
- Avoid using AI to generate reports
If you're a company:
- Sponsor audits of projects you use
- Contribute to security funds
- Dedicate engineer time for security reviews
- Report bugs back to upstream
- Fund maintainers directly
Conclusion
The closure of cURL's bug bounty is a symptom of a larger problem: AI has made it easy to generate noise that is suffocating open-source projects. The community needs to find new models that incentivize genuine security research without overwhelming maintainers.
Key points:
- cURL closed bug bounty due to 80% AI submissions
- Maintainers spend more time triaging garbage than developing
- Economic incentive creates a vicious cycle
- Platforms are implementing countermeasures
- New security models are emerging
Recommendations:
- Researchers: focus on quality and reputation
- Maintainers: establish rigorous requirements
- Companies: sponsor security for critical projects
- Community: support sustainable models
- Everyone: recognize that AI is a tool, not a substitute
To understand more about AI and development, read: DHH States: AI Programming Tools Still Do Not Compare to Junior Developers.