UPDATE: Curl, the popular open-source command-line tool, has just announced the termination of its HackerOne bug bounty program due to an overwhelming influx of fake vulnerability reports. This urgent decision will take effect at the end of January 2026, marking a significant shift in how security issues will be addressed.
The developers revealed that they are being inundated with what they describe as “AI slop” — reports generated by Generative Artificial Intelligence that often lack validity. From February 2026 onwards, all bug reports will be directed to GitHub, where no financial rewards will be offered, effectively ending any previous incentives for reporting.
According to Daniel Stenberg, the founder and lead developer of Curl, the situation has become untenable. He stated, “We started out the week receiving seven HackerOne issues within a sixteen-hour period. Some of them were true and proper bugs, but eventually we concluded that none of them identified a vulnerability.” Stenberg emphasized that this move aims to eliminate the incentive for researchers to submit poorly researched reports that burden the security team.
The volume of submissions has strained the Curl security team, leading to an urgent need for reform. Stenberg noted, “We now count twenty submissions done already in 2026. The main goal with shutting down the bounty is to reduce the noise and focus on genuine vulnerabilities.”
This shift comes at a time when Microsoft is expanding its bug bounty programs, even for projects without official payouts. As AI-generated code continues to introduce more bugs than human output, the need for effective security measures has never been more critical.
The Curl team continues to value valid vulnerability reports but has concluded that the current bounty framework is counterproductive. The decision to move bug reporting to GitHub without financial incentives represents a significant change in their approach to security.
As this story develops, stakeholders in the tech community are urged to take note of the implications for security research and the role of AI in generating reports. With the deadline for the current bounty program approaching, developers and researchers should prepare for the transition to GitHub.
Stay tuned for updates on this breaking news as the tech world reacts to Curl’s decision and the broader implications for bug bounty programs across the industry.
