The project developer for one of the Internet’s most popular networking tools is scrapping its vulnerability reward program after being overrun by a spike in the submission of low-quality reports, much of it AI-generated slop.
“We are just a small single open source project with a small number of active maintainers,” Daniel Stenberg, the founder and lead developer of the open source app cURL, said Thursday. “It is not in our power to change how all these people and their slop machines work. We need to make moves to ensure our survival and intact mental health.”
Seems like this became a big problem for open source maintainers. Not just people submitting AI generated wrong bug reports but also then answering back with LLM too. So whereas it might take a maintainer 5 mins to read a reply and come up with a response, it takes the submitter about couple seconds. Going for a few cycles, take about half 10-20 mins per report from your volunteering time. They really eat up people’s bandwith. And spotting such bug reports just from the language alone will likely become harder and harder.
His comments came as cURL users complained that the move was treating the symptoms caused by AI slop without addressing the cause. The users said they were concerned the move would eliminate a key means for ensuring and maintaining the security of the tool.
A single user commented, and they responded. “users complained” and “the users” is wrong. implying something different.
“users complained” feels like a misrepresentation to me as well, at least how I read and understand “complained”. The user wrote “As a security researcher, this is honestly painful to see, but also completely understandable.” Is it complaining if they understand the act and change?
In a separate post on Thursday, Stenberg wrote: “We will ban you and ridicule you in public if you waste our time on crap reports.”
The linked separate post is a
/.well-known/security.txtfile. It’s not really a “separate post”. And I don’t see where they got the date from. Maybe from whatever linked to that in the first place.An update to cURL’s official GitHub account made the termination, which takes effect at the end of this month, official.
Isn’t that from the merge request, which is not merged yet? It’s definitely not in the main branch. Current MR state is something different. The MR discussion clearly states that they will merge on 26th - no early.
“an update to the official GitHub account” makes no sense to me in the first place, when it’s a file in a repo, not even the account.
At first, I only wanted to point out one thing. Now this whole article feels like AI slop. Dunno how warranted that feeling/assessment is. Is it sloppy reporting? Am I, as a reader, the problem?
/edit: The bleeping computer article posted in the community is much better/consistent/coherent. Of course, this one was earlier and already has traction.
relevant, from a PR comment
On Monday January 26, 2026, I intend to merge this pull-request and post an explainer blog post detailing some further reasoning and details behind this move. The change, the end of the bounty, is officially set for January 31 but I am certain it will take some days to “take effect” and by merging the update a few days early I don’t think we actually hurt anyone.
This is more on morons than AI.
To paraphrase Chuck McGill, AI is like giving a chimp a machine gun.
deleted by creator
