TLDR: Daniel Stenberg, the creator of the widely used Curl command-line utility, is contemplating discontinuing its bug bounty program due to an overwhelming influx of low-quality and AI-generated vulnerability reports. This ‘AI slop’ is consuming significant resources from the small security team, with only 5% of submissions in 2025 proving to be genuine vulnerabilities.
Daniel Stenberg, the visionary behind the ubiquitous open-source Curl command-line utility, is grappling with a growing crisis that threatens the efficiency of its critical security operations. Stenberg is seriously considering the drastic measure of discontinuing Curl’s long-standing bug bounty program, a move prompted by an unprecedented surge in low-quality vulnerability reports, many of which are believed to be generated by artificial intelligence tools.
Referred to by Stenberg and his team as ‘AI slop,’ these bogus submissions have become a significant burden. The problem, which Stenberg first highlighted in January 2024, has escalated dramatically over the past year and a half. Compounding the issue is ‘human slop’ – low-quality reports where it’s unclear if AI was involved, but the net effect on the review process is identical.
Data from 2025 paints a stark picture: approximately 20 percent of all security report submissions received by Curl this year have been identified as ‘AI slop.’ Despite averaging about two security reports per week, a mere 5 percent of these submissions by early July 2025 had turned out to be genuine vulnerabilities. This represents a significant decrease in the valid-rate compared to previous years, indicating a decline in the signal-to-noise ratio.
The Curl bug bounty program, which has been in operation since 2019 and is outsourced to HackerOne, has historically been a success, paying out over $90,000 for 81 genuine security awards. However, the current deluge of irrelevant reports is straining the project’s limited resources. The Curl security team comprises only seven members, and each report typically requires review by three to four individuals. This process can consume anywhere from 30 minutes to three hours per submission, diverting valuable time from actual development and genuine vulnerability patching.
While the program’s current policy requires bug reporters to disclose the use of generative AI, it does not outright ban AI-assisted submissions, though it strongly discourages them. The policy explicitly states, ‘You should check and double-check all facts and claims any AI told you before you pass on such reports to us,’ adding, ‘You are normally much better off avoiding AI.’
Also Read:
- Generative AI Reshapes Cybersecurity Landscape: A Dual-Edged Sword in Digital Defense
- Google Gemini Vulnerability Exposes Users to Covert Phishing Attacks
Stenberg has expressed his intention to spend the remainder of 2025 evaluating and deliberating on the best course of action. ‘I want us to use the rest of the year 2025 to evaluate and think,’ Stenberg wrote in a blog post. He emphasized the need to ‘reduce the amount of sand in the machine’ and ‘drastically reduce the temptation for users to submit low quality reports. Be it with AI or without AI,’ for the ‘sanity of the curl security team members.’ Among the options being considered is the potential discontinuation of monetary rewards, a move that could significantly alter the landscape of vulnerability reporting for the critical open-source project.
