THE cURL project, one of the Internet’s most popular networking tools, is scrapping its vulnerability reward programme after being flooded with low-quality reports, much of it AI-generated slop. Daniel Stenberg, the founder and lead developer, said on Thursday that while AI-assisted submissions can yield useful findings, the surge of distracting reports threatens the project’s survival and its members’ mental health.
An update to cURL’s official GitHub account said the bug bounty termination takes effect at the end of this month, with a separate post on security[.]txt noted as part of the communication. The piece highlights bogus reports and an instance where a report referenced a made-up CVE-2020-19909, illustrating how AI slop can mislead maintainers. Stenberg indicated that in September he publicly praised a researcher for using AI-powered tools to uncover bugs, which surfaced 22 fixes at the time. He warned that AI slop is overwhelming maintainers today and may spread beyond curl to other bug-bounty programmes, according to Ars Technica.