The curl project is ending its bug bounty program on January 31, 2026, after running it since 2019. While the program successfully identified 87 vulnerabilities and paid over $100,000 in rewards, it has been overwhelmed by AI-generated false reports and low-quality submissions. The confirmation rate dropped from 15% to below 5%
•8m read time• From daniel.haxx.se
Table of contents
How we got hereActionsMaintain curl securityInsteadLeaving HackeroneFuture disclosuresWe stay on GitHubOther projects do betterIf the volume keeps upWe won’t chargePull requests are less of a problemRelatedFutureMediaSort: