The open-source project behind cURL, one of the internet's most fundamental tools, has shut down its bug bounty program after being overwhelmed by AI-generated security reports that project maintainer Daniel Stenberg describes as "slop."
For context: cURL is used by virtually every piece of software that makes HTTP requests. It's in your phone, your car, your smart fridge. It's downloaded billions of times per year. Finding real security bugs in cURL matters.
Which is why the bug bounty program existed in the first place. The idea was simple: security researchers could earn rewards for finding legitimate vulnerabilities. It worked well for years.
Then came the AI era.
Stenberg says the program became "unmanageable" due to the volume of automatically generated reports from people using AI to farm bug bounties. The submissions looked superficially plausible but were fundamentally nonsense - hallucinated vulnerabilities that didn't actually exist.
"The mental health aspect became a real concern," Stenberg explained. "We were spending hours investigating reports that a human security researcher would have immediately recognized as invalid."
This is what I mean when I say the technology is impressive but the question is whether anyone needs it. Can AI find real security bugs? Sometimes. Is it being used that way? Not here.
Instead, it's being used to generate convincing-sounding garbage at scale, overwhelming volunteer maintainers who are trying to secure critical internet infrastructure. The incentive structure is broken: AI makes it cheap to submit hundreds of plausible-looking reports, while humans still need to carefully evaluate each one.
The cURL team isn't alone. Multiple open-source projects have reported similar problems with AI-generated bug reports, pull requests, and issue tickets. The pattern is always the same: volume overwhelms quality, volunteers burn out, and the commons gets depleted.
Stenberg emphasized that cURL will continue to take security seriously through other channels. The bug bounty program wasn't the only way people reported vulnerabilities. But its closure represents a real loss - and a cautionary tale about what happens when AI-generated content meets community-run infrastructure.
