The founder and lead developer of Curl, Daniel Stenberg, announced that due to an abundance of AI-generated junk, he is prepared to completely terminate the project’s bug bounty program. The issue is that he and other maintainers are overwhelmed with bug reports that people are creating with the help of AI.
Stenberg complains about AI-related issues since early 2024. And, according to him, the situation is only getting worse over time.
Now, in addition to the regular AI-generated junk (the developer uses the term “AI slop” to refer to low-quality, AI-generated content), there is junk created by humans. Stenberg writes that these materials are of such low quality that it is not always possible to determine whether a bug report was written by a person using AI or by an AI model itself.
“The main trend of 2025 is that AI-generated junk is more prevalent than ever before (around 20% of all reports). On average, we receive about two vulnerability reports per week,” the developer writes. “As of early July, only about 5% of the messages received in 2025 were actual vulnerabilities. The validity rate has significantly decreased compared to previous years.”
The current situation has prompted Stenberg to reconsider whether it is worthwhile to maintain the bug bounty program for Curl at all. According to him, the project has paid out over $90,000 for 81 vulnerabilities discovered since 2019. Stenberg writes that he plans to spend the rest of the year contemplating possible solutions to the problem.
Currently, the Curl bug bounty program, outsourced to HackerOne, requires the author of a vulnerability report to disclose the use of generative AI. The program does not prohibit the use of AI, but it does not encourage it either.
While two bug reports per week may not seem like much, the problem lies in the fact that the Curl security team consists of only seven people. As Stenberg explains, three or four reviewers examine each submission, and this process takes anywhere from 30 minutes to three hours.
“Personally, I already spend an insane amount of time on Curl, and even three hours wasted still leaves time for other things,” writes Stenberg. “However, my colleagues dedicate all their time to Curl. They may only have three hours a week for the project. Not to mention how much emotional energy is drained by these mind-boggling absurdities.”
The developer notes that last week, the volume of AI-generated junk in bug reports increased eightfold compared to the usual level. Now, Stenberg is maintaining a list of junk vulnerability reports created with AI. Currently, it includes 22 reports of non-existent bugs.
As we previously reported, in December 2024, Python developer Seth Larson expressed similar concerns. He stated that responding to AI-generated reports is costly and time-consuming. Initially, these reports appear to be well-founded, but each requires thorough verification by an experienced specialist, and it often turns out that they are merely AI “hallucinations.”
In May 2025, Benjamin Piouffle, a software engineer from Open Collective, agreed with his colleagues’ opinion. He reported that Open Collective faced a similar problem with AI-generated junk.
“Perhaps, in the end, we will have to switch to a platform like HackerOne and restrict submissions to only verified researchers (right now, we do everything manually),” said Piufl. “Ultimately, this will make it harder for young researchers to break into the industry.”
Stenberg writes that it is not entirely clear what HackerOne representatives should do to reduce AI usage. However, he insists that something needs to be done. For example, he is considering charging a fee for submitting bug reports or completely abandoning vulnerability reward payouts.
“Many of the authors of these reports seem to be genuinely misled by AI marketing and sincerely believe they are helping. Therefore, it is obvious that removing money from the equation will not be able to completely stop the flow of [junk reports],” concludes Stenberg.
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices
The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…
Full article →
2025.04.16 — Android devices will restart every three days to protect user data
Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…
Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack
Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…
Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024
According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…
Full article →
2025.01.28 — J-magic backdoor attacked Juniper Networks devices using 'magic packets'
A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that…
Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO
According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…
Full article →
2025.01.29 — Google to disable Sync in older Chrome versions
Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…
Full article →