Wednesday, July 16, 2025
Latest:
The Register

Curl creator mulls nixing bug bounty awards to stop AI slop

TH Author

Daniel Stenberg, founder and lead developer of the open-source curl command line utility, just wants the AI slop to stop.

Stenberg and a handful of other curl maintainers have been overwhelmed by bogus bug reports created by individuals using generative AI tools. He and others have referred to unwanted generative AI content as “AI slop” and he’s complained about the problem that poses for maintainers since January 2024.

The problem has worsened in the past year and a half, compounded by “human slop” – low-quality submissions where it isn’t obvious whether the submission came from a person or an AI model.

The general trend so far in 2025 has been way more AI slop than ever before

“The general trend so far in 2025 has been way more AI slop than ever before (about 20 percent of all submissions) as we have averaged about two security report submissions per week,” he wrote in a blog post on Monday. “In early July, about 5 percent of the submissions in 2025 had turned out to be genuine vulnerabilities. The valid-rate has decreased significantly compared to previous years.”

Curl up and die?

The situation has prompted Stenberg to reevaluate whether to continue curl’s bug bounty program, which he says has paid out more than $90,000 for 81 awards since its inception in 2019. He said he expects to spend the rest of the year mulling possible responses to the rising tide of AI refuse.

Presently, the curl bug bounty program – outsourced to HackerOne – requires the bug reporter to disclose the use of generative AI. It does not entirely ban AI-assisted submissions, but does discourage them.

“You should check and double-check all facts and claims any AI told you before you pass on such reports to us,” the program’s policy explains. “You are normally much better off avoiding AI.”

Two bug submissions per week on average may not seem like a lot, but the curl security team consists of only seven members. As Stenberg explains, three or four reviewers review each submission, a process that takes anywhere from 30 minutes to three hours.

“I personally spend an insane amount of time on curl already, wasting three hours still leaves time for other things,” Stenberg lamented. “My fellows however are not full time on curl. They might only have three hours per week for curl. Not to mention the emotional toll it takes to deal with these mind-numbing stupidities.”

Stenberg noted that last week the volume of AI-slop reports surged to eight times the usual rate. He’s now compiled a list of bad curl bug bounty reports. At the time this story was filed, the list contained 22 slop bug reports.

Last December, Seth Larson, security developer-in-residence at the Python Software Foundation, published a similar cri de coeur about slop security reports polluting the Python ecosystem.

And in May 2025, Benjamin Piouffle, a software engineer at Open Collective, said in a Mastodon post that Open Collective faces a similar problem being “flooded with AI garbage.”

“We may ultimately need to migrate to a platform like HackerOne and restrict submissions to verified researchers (we currently handle everything manually),” Piouffle wrote. “All this will eventually make it harder for junior researchers to break into the industry.”

Stenberg says it’s not clear what HackerOne should do to reduce reckless use of AI, but insists something needs to be done. His post ponders charging a fee to submit a report or dropping the bug bounty award, while also expressing reservations about both potential remedies.

“As a lot of these reporters seem to genuinely think they help out, apparently blatantly tricked by the marketing of the AI hype-machines, it is not certain that removing the money from the table is going to completely stop the flood,” he concludes. ®

READ MORE HERE