The founder and lead developer of Curl, Daniel Stenberg, announced that due to an abundance of AI-generated junk, he is prepared to completely terminate the project’s bug bounty program. The issue is that he and other maintainers are overwhelmed with bug reports that people are creating with the help of AI.
Stenberg complains about AI-related issues since early 2024. And, according to him, the situation is only getting worse over time.
Now, in addition to the regular AI-generated junk (the developer uses the term “AI slop” to refer to low-quality, AI-generated content), there is junk created by humans. Stenberg writes that these materials are of such low quality that it is not always possible to determine whether a bug report was written by a person using AI or by an AI model itself.
“The main trend of 2025 is that AI-generated junk is more prevalent than ever before (around 20% of all reports). On average, we receive about two vulnerability reports per week,” the developer writes. “As of early July, only about 5% of the messages received in 2025 were actual vulnerabilities. The validity rate has significantly decreased compared to previous years.”
The current situation has prompted Stenberg to reconsider whether it is worthwhile to maintain the bug bounty program for Curl at all. According to him, the project has paid out over $90,000 for 81 vulnerabilities discovered since 2019. Stenberg writes that he plans to spend the rest of the year contemplating possible solutions to the problem.
Currently, the Curl bug bounty program, outsourced to HackerOne, requires the author of a vulnerability report to disclose the use of generative AI. The program does not prohibit the use of AI, but it does not encourage it either.
While two bug reports per week may not seem like much, the problem lies in the fact that the Curl security team consists of only seven people. As Stenberg explains, three or four reviewers examine each submission, and this process takes anywhere from 30 minutes to three hours.
“Personally, I already spend an insane amount of time on Curl, and even three hours wasted still leaves time for other things,” writes Stenberg. “However, my colleagues dedicate all their time to Curl. They may only have three hours a week for the project. Not to mention how much emotional energy is drained by these mind-boggling absurdities.”
The developer notes that last week, the volume of AI-generated junk in bug reports increased eightfold compared to the usual level. Now, Stenberg is maintaining a list of junk vulnerability reports created with AI. Currently, it includes 22 reports of non-existent bugs.
As we previously reported, in December 2024, Python developer Seth Larson expressed similar concerns. He stated that responding to AI-generated reports is costly and time-consuming. Initially, these reports appear to be well-founded, but each requires thorough verification by an experienced specialist, and it often turns out that they are merely AI “hallucinations.”
In May 2025, Benjamin Piouffle, a software engineer from Open Collective, agreed with his colleagues’ opinion. He reported that Open Collective faced a similar problem with AI-generated junk.
“Perhaps, in the end, we will have to switch to a platform like HackerOne and restrict submissions to only verified researchers (right now, we do everything manually),” said Piufl. “Ultimately, this will make it harder for young researchers to break into the industry.”
Stenberg writes that it is not entirely clear what HackerOne representatives should do to reduce AI usage. However, he insists that something needs to be done. For example, he is considering charging a fee for submitting bug reports or completely abandoning vulnerability reward payouts.
“Many of the authors of these reports seem to be genuinely misled by AI marketing and sincerely believe they are helping. Therefore, it is obvious that removing money from the equation will not be able to completely stop the flow of [junk reports],” concludes Stenberg.
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals
Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →
2025.01.28 — J-magic backdoor attacked Juniper Networks devices using 'magic packets'
A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that…
Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs
According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…
Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack
Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →