Popular command-line tool curl developers recently announced that the project will officially end its bug bounty program on the HackerOne platform at the end of January 2026, due to a large number of low-quality, AI-generated false vulnerability reports.

curl founder Daniel Stenberg said that this content, referred to as "AI Slop," may sound professional but actually has no substantial contribution, instead placing a heavy review burden on smaller maintenance teams. In just the past 16 hours, the team received seven invalid reports, and the total submissions since the beginning of 2026 have reached 20.

Hacker Cyber Attack (2)

Stenberg emphasized that the main purpose of closing the program is to eliminate the incentive for people to submit unreasonably researched reports, to protect developers' mental health, and ensure the project's sustainability.

According to the updated plan, starting from February 1, 2026, the curl project will no longer offer monetary rewards for any reported bugs, nor will it assist researchers in obtaining compensation from third parties. Future security issues will be reported directly through GitHub. Additionally, the project has clearly warned in the security.txt file that users submitting garbage reports may be banned or even publicly mocked.