Maintainer hopes hackers send bug reports anyway, will keep shaming ‘silly ones’

The maintainer of popular open-source data transfer tool cURL has ended the project’s bug bounty program after maintainers struggled to assess a flood of AI-generated contributions.

Curler-in-chief Daniel Stenberg last week lodged a GitHub commit named “BUG-BOUNTY.md: we stop the bug-bounty end of Jan 2026”.

Readers may recall that Stenberg started complaining about AI-generated bug reports in early 2024, and by mid-2025 contemplated killing the project’s bug bounty program. After receiving some strong bug reports that a developer found with help from AI, Stenberg acknowledged that AI can be a fine bug-hunting aid.

Stenberg addressed his decision in a mailing message that opened with news that last week the project’s bug bounty scheme generated seven submissions and that while some identified bugs, none described a vulnerability.

Figuring that out took “a good while.”

He then expressed his hope that ending the bug bounty program will “remove ...