Curl, the maintainers behind the widely used curl command-line tool, scrapped its vulnerability reward program after an unprecedented flood of low-quality submissions, much of it AI-generated. Founder Daniel Stenberg said the project is small and cannot control how all these people and their “slop machines” operate; the move is intended to safeguard the project’s survival and the team’s mental health.
Users criticized the decision, arguing it treats symptoms rather than addressing the root cause of AI-driven noise. Stenberg acknowledged the concern but said the team had little choice given the scale of submissions. In a separate post, he warned that anyone wasting time with junk reports would be banned and publicly ridiculed.
Curl has long been a staple for admins, researchers, and developers, with curl integrated into default builds of Windows, macOS, and most Linux distributions. The project has depended on private bug reports from outside researchers and has paid bounties for high-severity vulnerabilities to help keep the tool secure.
The spike in AI-generated submissions has led to bogus vulnerability claims and code that would not compile. Maintainers have even cataloged some examples in public discussions showing that the AI-generated reports often lack fidelity to real curl internals.
Stenberg has not dismissed AI-assisted reporting entirely. He has praised AI-assisted bug hunting in the past and noted that a researcher using AI tools helped surface a number of issues. He warned, however, that many bad reports come from people asking an AI bot to do all the work without understanding the context. The move underscores a broader tension facing open-source projects grappling with an AI-generated flood of input.
