The founder and lead developer of Curl, Daniel Stenberg, announced that due to an abundance of AI-generated junk, he is prepared to completely terminate the project’s bug bounty program. The issue is that he and other maintainers are overwhelmed with bug reports that people are creating with the help of AI.
Stenberg complains about AI-related issues since early 2024. And, according to him, the situation is only getting worse over time.
Now, in addition to the regular AI-generated junk (the developer uses the term “AI slop” to refer to low-quality, AI-generated content), there is junk created by humans. Stenberg writes that these materials are of such low quality that it is not always possible to determine whether a bug report was written by a person using AI or by an AI model itself.
“The main trend of 2025 is that AI-generated junk is more prevalent than ever before (around 20% of all reports). On average, we receive about two vulnerability reports per week,” the developer writes. “As of early July, only about 5% of the messages received in 2025 were actual vulnerabilities. The validity rate has significantly decreased compared to previous years.”
The current situation has prompted Stenberg to reconsider whether it is worthwhile to maintain the bug bounty program for Curl at all. According to him, the project has paid out over $90,000 for 81 vulnerabilities discovered since 2019. Stenberg writes that he plans to spend the rest of the year contemplating possible solutions to the problem.
Currently, the Curl bug bounty program, outsourced to HackerOne, requires the author of a vulnerability report to disclose the use of generative AI. The program does not prohibit the use of AI, but it does not encourage it either.
While two bug reports per week may not seem like much, the problem lies in the fact that the Curl security team consists of only seven people. As Stenberg explains, three or four reviewers examine each submission, and this process takes anywhere from 30 minutes to three hours.
“Personally, I already spend an insane amount of time on Curl, and even three hours wasted still leaves time for other things,” writes Stenberg. “However, my colleagues dedicate all their time to Curl. They may only have three hours a week for the project. Not to mention how much emotional energy is drained by these mind-boggling absurdities.”
The developer notes that last week, the volume of AI-generated junk in bug reports increased eightfold compared to the usual level. Now, Stenberg is maintaining a list of junk vulnerability reports created with AI. Currently, it includes 22 reports of non-existent bugs.
As we previously reported, in December 2024, Python developer Seth Larson expressed similar concerns. He stated that responding to AI-generated reports is costly and time-consuming. Initially, these reports appear to be well-founded, but each requires thorough verification by an experienced specialist, and it often turns out that they are merely AI “hallucinations.”
In May 2025, Benjamin Piouffle, a software engineer from Open Collective, agreed with his colleagues’ opinion. He reported that Open Collective faced a similar problem with AI-generated junk.
“Perhaps, in the end, we will have to switch to a platform like HackerOne and restrict submissions to only verified researchers (right now, we do everything manually),” said Piufl. “Ultimately, this will make it harder for young researchers to break into the industry.”
Stenberg writes that it is not entirely clear what HackerOne representatives should do to reduce AI usage. However, he insists that something needs to be done. For example, he is considering charging a fee for submitting bug reports or completely abandoning vulnerability reward payouts.
“Many of the authors of these reports seem to be genuinely misled by AI marketing and sincerely believe they are helping. Therefore, it is obvious that removing money from the equation will not be able to completely stop the flow of [junk reports],” concludes Stenberg.
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet
All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…
Full article →
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks
OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…
Full article →
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems
The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign
According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…
Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →