curl: Project ends bug bounty program

The curl project is discontinuing its bug bounty program at the end of January. This means IT researchers will no longer be able to receive a reward for discovered and reported security vulnerabilities in the popular open-source tool.

Daniel Stenberg, maintainer of curl and libcurl, announced this on the social network Mastodon. This has also been incorporated into the curl source codes on GitHub.

According to this, Stenberg is removing references to the bug bounty program on HackerOne from the project sources. The links to it will be removed. In cases of suspected security issues, discoverers should contact Curl or Stenberg privately. The curl website regarding the desired procedure for reporting a vulnerability still refers to the bug bounty program. However, there are already indications that IT researchers should contact the mailing list security(at)curl(dot)se, which however has some prerequisites.

These could be rather deterrent: “We basically only require that you have been involved with the Curl project for a long time and have shown an understanding of the project and its way of working, and do not intend to disappear again in the near future.” However, this will likely change with the end of the official bug bounty program.

Reasons not yet stated

Stenberg has not yet commented on the specific reasons for this step. In response to a user's comment on Mastodon: “I don't think that will stop the slop,” which is short for “AI Slop” or “AI garbage” in German. Stenberg replied: “Nothing can stop it, but hopefully we can slow it down by removing a strong incentive.”

It is plausible that Stenberg is taking this step due to increasing “AI garbage reports.” He has repeatedly complained vehemently and frustratedly about unusable bug reports that read plausibly and consume a lot of effort to reproduce, only to turn out to be nonsensical. On LinkedIn, he wrote in May of last year: “I'm fed up. I'm putting a stop to this madness.”

Daniel Stenberg told heise online that “it's just a PR still; we haven't merged it, so technically it is still just a proposal.” But it’s going to happen. “We might tweak some wordings and timings before it lands.” This step is related to the AI slop tsunami, he confirmed. “We hope that we can slow down the torrent of incoming issues and workload somewhat by removing the money incentive.”

Curl, short for “Client for URLs,” is a powerful, open-source tool and library for transferring data over various protocols such as HTTP, FTP, and many others. The lucky ones who have unleashed their AI tools on Curl's sources, sometimes apparently without any expertise, will at least no longer be able to earn money from Curl from the end of the month.

(dmk)