The curl project, a cornerstone of modern internet infrastructure, has announced that it will end its bug bounty program hosted on HackerOne at the end of January 2026. Curl is a widely used command-line tool and software library that enables data transfers over a range of network protocols, and it sits quietly underneath countless applications, servers, and devices around the world. For years, the project’s bug bounty program offered financial rewards to security researchers who responsibly disclosed vulnerabilities in curl and its companion library, libcurl.

The decision to shut down the program marks a significant shift in how the project approaches vulnerability reporting—and it highlights growing pains across the wider security ecosystem.

Why the Bug Bounty Is Ending

According to the project’s maintainers, the core problem isn’t a lack of interest in security, but rather too much of the wrong kind of attention. Over time, the curl security team became overwhelmed by a surge of low-quality bug reports. Many of these submissions were poorly researched, duplicated known issues, or described problems that were not real vulnerabilities at all.

A large portion of this influx appears to be driven by AI-generated reports—often referred to bluntly as “AI slop.” These submissions may look polished on the surface, but they frequently lack technical depth, accurate testing, or a real understanding of curl’s codebase. For a small, volunteer-heavy project, sorting signal from noise became an exhausting and time-consuming task.

The Maintainers’ Breaking Point

Project founder and lead developer Daniel Stenberg has been candid about the strain this created. Each report, no matter how flawed, still had to be read, analyzed, and formally dismissed. That process diverted precious time away from real security work and ongoing development.

The conclusion was straightforward: as long as cash rewards were available, the incentive to submit low-effort or speculative reports would remain. By removing the bounty, the team hopes to discourage spammy submissions and refocus attention on meaningful, well-researched disclosures from people who genuinely understand the software.

What Happens After January 2026

The transition will happen in stages. Until January 31, 2026, HackerOne will continue to accept new reports and process submissions already in progress. After that date, curl will no longer accept vulnerability reports through the HackerOne platform.

Beginning February 1, 2026, security researchers will be asked to report vulnerabilities directly through curl’s GitHub security reporting process. Importantly, these reports will no longer come with financial compensation. The maintainers hope this approach will prioritize quality over quantity and reduce the administrative burden on the security team.

A Broader Industry Problem

Curl’s decision reflects a wider challenge facing many open-source projects and bug bounty programs. Even before the rise of generative AI, open submission systems were prone to spam and low-value reports. AI tools have amplified this issue, making it easier than ever to generate large volumes of convincing—but ultimately useless—security claims.

Curl previously experimented with mitigation strategies, such as requiring reporters to disclose whether AI tools were used. However, those measures did little to stem the tide. Ending the bounty program altogether was seen as the most practical solution.

Looking Ahead

While some may view this move as a setback, curl’s maintainers see it as a necessary reset. Security remains a top priority for the project, but the focus is shifting toward sustainability. By cutting down on noise and reclaiming developer time, curl hopes to stay secure, stable, and healthy—without drowning in AI-generated paperwork.