DEV Community

Andrew
Andrew

Posted on

When AI Slop Breaks Your Bug Bounty: The curl Maintainer Approach

The Incident

As of July 1, 2026, the curl project officially stopped accepting security reports. This is not a partial suspension or a soft pause. Until August 3, 2026, all channels, including HackerOne and the dedicated security email address, are effectively dark. Daniel Stenberg, the project's lead maintainer, dubbed this period the "curl summer of bliss," emphasizing that the team is stepping away from the keyboard to avoid professional burnout caused by an unsustainable volume of AI-generated noise.

The Economics of Noise

For years, curl maintained a healthy triage process where roughly 15% of reports resulted in confirmed vulnerabilities. By 2025, that figure plummeted to below 5%. Stenberg estimates that, at the peak, nearly 20% of all incoming reports were "AI slop"-fabricated claims citing non-existent functions, imaginary code paths, or vulnerabilities already resolved years prior.

The core issue is a shift in cost asymmetry:

  • Generation Cost: With LLMs, identifying and writing a plausible-sounding CVE report now costs near-zero effort.
  • Verification Cost: Validating the claim, reviewing the code, and testing the proof of concept still requires the same high-level human expertise as always.

A DDOS on Triage

Stenberg has candidly referred to this flood of automated reports as a denial-of-service attack on the project's triage capacity. A seven-person volunteer team simply cannot compete with an automated stream of reports that require manual verification.

Initially, curl attempted to manage this by:

  1. Banning accounts submitting clear AI artifacts.
  2. Terminating their paid HackerOne bounty program on January 31, 2026.

Despite these efforts, the volume continued to climb. The removal of a financial incentive did not curb the spam because many generators operate without a profit motive, potentially chasing reputation or resume padding. The result is a broken triage pipeline where maintainers are forced to spend their limited time reading AI-generated fiction instead of fixing real risks.

The Scalability Problem

This is not a project-specific anomaly. The broader developer community is witnessing identical patterns:

  • HackerOne IBB: The Internet Bug Bounty program paused new submissions in March 2026, pivoting to focus on remediation after models proved adept at discovery.
  • CVE Growth: Sonatype's 2026 State of the Software Supply Chain report notes that the count of unscored CVEs has grown 37x in five years.

The "summer of bliss" is a structural defense against a new reality. By shutting down intake, curl is establishing a boundary, prioritizing maintainer health over the expectation that open-source projects must provide instant, 24/7 security response for every automated bot that targets them.

If you maintain a popular repository, the data suggests you should prepare for a scenario where your triage queue exceeds your capacity. Relying on an "always on" model is increasingly difficult when the barrier to creating "reports" has been entirely removed by LLMs.

Reference

curl's Summer of Bliss: Why It Stopped Taking Bug Reports in July 2026

curl is refusing all vulnerability reports for the month of July 2026 after AI-generated 'slop' reports pushed its confirmed-vulnerability rate below 5%. Here's the timeline, the numbers, and why this is bigger than one project.

favicon pinggy.io

Top comments (0)