Overrun with AI slop, cURL scraps bug bounties to ensure intact mental health

“We need to make moves to ensure our survival and intact mental health.”

cURL is ending its bug bounty program January 31, 2026 after AI-generated reports overwhelmed the volunteer security team. In the first 21 days of 2026, they received 20 AI-generated reports. Seven in one week. None describing actual vulnerabilities. By mid-2025, 20% of submissions were AI slop. Meanwhile, a researcher who used AI as a research assistant (not a replacement) found 50 real bugs. The distinction matters. AI-assisted security research works. AI-replaced security research is spam.