The developers of curl have announced they are shutting down the project’s HackerOne bug bounty program at the end of January 2026, citing an overwhelming rise in low-quality and AI-generated vulnerability reports.
The decision was first spotted in a pending update to curl’s BUG-BOUNTY.md documentation, which removes all references to HackerOne. Once merged, the documentation will clearly state that curl no longer offers monetary rewards for reported bugs and will not assist researchers in seeking compensation from third parties.
curl founder and lead developer Daniel Stenberg said the security team has been increasingly strained by what he describes as “AI slop”—low-effort reports that sound convincing but fail to identify real vulnerabilities. Since early 2026 alone, the project has already received dozens of submissions, many of which required significant time to review despite containing no valid security issues.
“The main goal with shutting down the bounty is to remove the incentive for people to submit crap and non-well-researched reports,” Stenberg explained, adding that the growing noise has taken a toll on both productivity and developer mental health. He noted that curl is a small open-source project with limited maintainers, making the situation unsustainable.
Since 2019, curl’s bounty program was run through HackerOne and the Internet Bug Bounty, offering cash rewards for responsibly disclosed vulnerabilities in curl and its companion library libcurl. However, Stenberg says data shows curl experienced a sharp increase in submissions throughout 2025, unlike many other open-source projects on HackerOne.
The transition away from HackerOne will happen in stages. The Curl project will continue to accept HackerOne submissions until January 31, 2026, with any in-progress reports still being reviewed. From February 1, 2026, researchers will be asked to report security issues directly through GitHub.
The project’s updated security.txt file also makes its new stance clear, stating that no monetary rewards are offered and warning that repeat low-quality submissions may lead to bans. Stenberg says a detailed blog post explaining the change will be published next week.





