The curl project, one of the most widely used tools for data transfer on the internet, will no longer participate in the HackerOne bug bounty program. The decision was announced by Daniel Stenberg, founder and lead developer of curl, and stems from a sharp increase in low-quality and AI-generated vulnerability reports that have placed a growing burden on the project’s small maintenance team.
The change was disclosed in the project’s documentation file BUG-BOUNTY.md, with the final commit still pending. According to Stenberg, Curl’s withdrawal from HackerOne will take effect on February 1, 2026.
Curl has been part of organised bug bounty efforts since 2019 through HackerOne and the Internet Bug Bounty program. These initiatives offered financial rewards to security researchers who responsibly disclosed legitimate vulnerabilities, while also helping contributors receive compensation from external institutions. That entire arrangement will now come to an end for curl.
AI “Slop” Overwhelms a Small Team
Stenberg cited a surge in invalid submissions—many of which were clearly generated by artificial intelligence—as the primary reason for ending the program. These reports often fail to identify real security issues or misunderstand how curl and its companion library, libcurl, actually work.
In a recent example shared by Stenberg, seven vulnerability reports were submitted within a 16-hour window during the first week of January, none of which described an actual flaw. By January 16, that number had risen to 20 reports, all of which were deemed invalid. Reviewing and responding to these submissions, he said, has become a significant drain on time and mental energy for a project maintained by a relatively small team.
Curl is a core piece of internet infrastructure, used daily to transfer data over protocols such as HTTP, FTP, and others. Its associated library, libcurl, is embedded in countless applications, making security reports critically important—but only when they are accurate and actionable.
End of Financial Incentives and Policy Shift
With the removal of the bug bounty program, curl will no longer offer monetary rewards for vulnerability disclosures, nor will it use HackerOne as an intermediary to facilitate compensation from third parties. Reports can still be submitted through HackerOne until January 31, 2026, after which all security issues must be reported directly via GitHub.
Stenberg expressed hope that removing the financial incentive will discourage spam submissions and reduce the volume of AI-generated or careless reports. He also took a firm stance in the project’s security.txt file, stating that contributors who submit “trash” reports risk being banned and publicly called out.
Further details about how curl will handle security disclosures going forward are expected to be published soon. For now, the move underscores a growing challenge facing open-source projects: balancing responsible security research with the unintended consequences of automated AI tooling flooding maintainers with noise instead of meaningful signal.
