Curl drops bug bounty after AI-driven report surge

Daniel Stenberg, the creator and lead maintainer of curl, said the volume of submissions claiming security flaws had grown to a level that could no longer be handled responsibly. Many of the reports, he explained, were produced using large language models that generated plausible-sounding but incorrect analyses of the curl codebase, forcing maintainers to spend significant time verifying issues that turned out to be baseless.

The decision marks a notable moment in the wider open-source ecosystem, where bug bounty programmes are increasingly strained by automated or semi-automated submissions. Curl, which is embedded in operating systems, networking equipment, smartphones and countless applications, has long been regarded as a critical piece of internet infrastructure. Its security disclosures are closely watched because flaws can have far-reaching consequences.

Stenberg said the project’s bug bounty system had initially been introduced to encourage responsible disclosure and reward researchers who invested real effort into finding genuine vulnerabilities. Over time, however, the incentives began to attract a different kind of participation. Submissions grew sharply in number but not in quality, with many reports recycling generic vulnerability patterns or misinterpreting perfectly safe code paths as exploitable weaknesses.

According to Stenberg, a growing share of these reports showed clear signs of having been generated or heavily assisted by AI tools. They often included confident language, references to well-known classes of vulnerabilities and long explanations that collapsed under scrutiny. Each submission still required manual review, code inspection and testing, creating a workload disproportionate to the benefits of the programme.

The curl security team is small and largely volunteer-driven. Unlike large technology companies that run bug bounties with dedicated staff and automated triage systems, curl relies on maintainers who balance security work with development, documentation and community support. Stenberg said the time spent filtering out invalid reports had begun to interfere with addressing real issues and improving the software.

The move has sparked debate across the security research community. Bug bounties have become a standard mechanism for identifying vulnerabilities, particularly in high-profile projects. Supporters argue that financial incentives widen participation and uncover flaws that internal audits may miss. Critics counter that bounties can distort behaviour, encouraging quantity over quality and rewarding superficial analysis.

AI has intensified these tensions. Large language models can scan code, flag potential issues and draft vulnerability reports in seconds. Used carefully by experienced researchers, such tools can improve productivity. Used indiscriminately, they can flood maintainers with false positives. Several open-source projects have reported similar pressures, though few as prominent as curl have taken the step of ending a bounty outright.

Stenberg emphasised that curl is not closing the door on security reports themselves. The project continues to accept vulnerability disclosures through established channels and remains committed to responsible handling and timely fixes. What has changed is the removal of a financial reward that, in the project’s assessment, no longer aligned with sustainable security practices.

The decision also highlights the uneven impact of AI across the software supply chain. While large organisations can absorb the cost of noisy inputs, smaller projects that underpin much of the internet often lack the resources to do so. Security experts warn that if maintainers burn out or disengage, the overall risk to the ecosystem increases.

Some researchers have suggested reforms rather than abandonment, such as stricter submission requirements, proof-of-concept mandates or higher bars for eligibility. Others argue that community norms must evolve, with clearer expectations around the ethical use of AI in security research and greater emphasis on validation before disclosure.