The widely used open-source CLI app for downloading files, cURL, has taken its bug bounty programme off HackerOne. Daniel Stenberg, who founded the project 30 years ago, is hoping to send a message: no more AI slop bug reports.
Bug bounties have been a good thing for the open source community Stenberg told The Stack, but an overwhelming number of low-quality reports in recent months is putting that system at risk.
cURL has found approximately 87 confirmed vulnerabilities by offering bug bounties and paid out “over $100,000 in rewards,” according to the project's founder.
The project's HackerOne profile shows 82 resolved reports and $16,300 paid out to developers since the page went live in April 2019.
Yet, the cURL HackerOne page now sports a pop-up saying it no longer accepts submissions and the bug bounty file on cURL’s GitHub repository states the programme “is no more."
HackerOne’s co-founder Michiel Prins says there are options to mitigating AI-generated bug reports that don’t require pulling bounties altogether, but FOSS’s “open” principles and limited resources mean those levers may be harder to pull.
