AI Spam Threatens cURL’s Bug Bounty Program: Developer Considers Shutting It Down
Ddos 
Daniel, the developer behind the widely used open-source utility cURL, recently revealed in a blog post that he is contemplating the discontinuation of the project’s vulnerability bounty program. This initiative rewards security researchers and developers based on the severity of vulnerabilities they responsibly disclose.
The cURL bounty program has long served as an incentive for experts to uncover and report flaws. However, the influx of seemingly AI-generated, fraudulent vulnerability submissions has become a major burden for Daniel and the small team of reviewers—none of whom work full time on the project.
Since its inception in 2019, the bounty program has awarded a total of \$90,000 across 81 verified vulnerabilities. Yet now, overwhelmed by the deluge of false reports, Daniel is seriously considering shutting down the initiative, citing the excessive drain on limited time and resources.
The program operates via platforms like HackerOne, which specialize in vulnerability submissions and triage. While HackerOne does allow the use of AI-assisted tools, it does not endorse them and requires disclosure if AI was involved in discovering a vulnerability.
Driven by the potential for rewards, some developers appear to have created AI-powered scanners that automatically analyze software like cURL and submit reports whenever an issue is suspected. Unfortunately, these reports often lack accuracy and merit.
For instance, just last week, the number of junk submissions skyrocketed to eight times the usual volume. Despite the low signal-to-noise ratio, the cURL team must painstakingly review each report to ensure no legitimate vulnerability goes unnoticed—an exhausting and inefficient process.
At present, Daniel has yet to reach a final decision. Canceling the bounty program risks deterring genuine researchers from contributing, while continuing it in its current form invites an unsustainable influx of noise. Either option presents a significant dilemma—and one not easily resolved.
Related Posts:
- CVE-2023-38545: “The worst curl security flaw in a long time”
- Free Software Foundation Under Siege: Ongoing DDoS & Relentless AI Web Crawler Attacks Since 2024
- CVE-2024-11053: Curl Vulnerability Exposes User Credentials in Redirects
- Apple App Store Blocks $2 Billion in Fraud in 2024 Alone
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
