- Curl ends HackerOne bug bounty due to fake, AI-generated vulnerability reports
- Developers say incentives led to abuse, overwhelming security team with invalid submissions
- Starting February 2026, bug reports will be moved to GitHub without financial reward
The developers of curl, the command-line tool and open source software library, are removing their HackerOne bug bounty program because they are inundated with fake issues and vulnerabilities.
In a new notice posted on GitHub, it was said that the program will end at the end of January 2026.
“Until the end of January 2026 there was a curl bug bounty. It no longer exists,” the document reads. “The curl project no longer offers bounties for reported bugs or vulnerabilities. We also do not help security researchers obtain such bounties for curl issues from other sources.”
Forcing the security team
The document then describes the status of the bug bounty program that apparently failed to serve its purpose:
“We’ve come to the harsh conclusion that a bug bounty gives people too strong incentives to find and fix bad faith ‘issues’ that cause overload and abuse. We still appreciate and value valid vulnerability reports.”
Quoting curl founder and lead developer Daniel Stenberg, beepcomputer reported that the problem is that “researchers” are using Generative Artificial Intelligence (GenAI) to create “AI waste” reports.
The same source says that Stenberg recently sent an email to his followers, explaining how these bad reports are hurting the security team:
“We started the week receiving seven issues from HackerOne in a sixteen hour period. Some of them were real, correct bugs and dealing with these many took quite a while. We finally concluded that none of them identified a vulnerability and we now count twenty submissions made as far back as 2026,” Stenberg said.
“The main goal of closing the bounty is to remove the incentive for people to send us junk and not well-researched reports. AI-generated or not. The current torrent of submissions puts a huge burden on the curl security team and this is an attempt to reduce the noise.”
Starting in February 2026, all bug reports will go directly through GitHub and will not be paid for.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
