The curl project is ending its bug bounty program on January 31, 2026, after running it since 2019. While the program successfully identified 87 vulnerabilities and paid over $100,000 in rewards, it has been overwhelmed by AI-generated false reports and low-quality submissions. The confirmation rate dropped from 15% to below 5%
Table of contents
How we got hereActionsMaintain curl securityInsteadLeaving HackeroneFuture disclosuresWe stay on GitHubOther projects do betterIf the volume keeps upWe won’t chargePull requests are less of a problemRelatedFutureMediaSort: