Curl removes bug bounties because of AI slop
2 months ago
- #AI
- #Open Source
- #Bug Bounty
- cURL is removing bounty payouts for bug reports to reduce AI-generated nonsense reports.
- AI-generated bug reports are overwhelming open source projects, including cURL, causing extra work for maintainers.
- Daniel Stenberg, cURL maintainer, highlights the increasing volume of 'AI slop' reports.
- Bounty payouts will end by January's end to discourage low-quality submissions.
- Not all AI-generated reports are bad; some have led to valid corrections.
- Over the years, cURL paid $101,020 in bounties for 87 bug reports.
- Joshua Rogers, an AI-assisted bug hunter, supports ending bounties, calling it overdue.
- Rogers argues the real incentive for reporting vulnerabilities is fame, not money.
- Bounties have asymmetric value depending on the reporter's socio-economic background.