Lately, the Curl code library has been receiving a lot of AI-generated reports from users hoping to receive financial compensation from the tool’s bug bounty program.
Going through all the reports has taken up so many resources that Curl has decided to eliminate compensation for bug hunters altogether.
“AI slop and generally bad reports have only increased even more recently, so we have to make an attempt to slow down the river so as not to drown,” Curl’s chief administrator Daniel Stenberg said in a comment to Elektroniktidningen.
Over the years, Curl has distributed a total of $101,020 in compensation for bug hunter reports.
Curl is not alone in enduring the significant changes in the bounty industry due to AI-powered bug hunting, which democratizes and accelerates vulnerability discovery while also taxing bug bounty programs with false positives and “AI slop.”