“We need to make moves to ensure our survival and intact mental health.”

cURL is ending its bug bounty program January 31, 2026 after AI-generated reports overwhelmed the volunteer security team. In the first 21 days of 2026, they received 20 AI-generated reports—seven in one week—none describing actual vulnerabilities. By mid-2025, 20% of submissions were AI slop. Meanwhile, a researcher who used AI as a research assistant (not a replacement) found 50 real bugs. The distinction matters: AI-assisted security research works; AI-replaced security research is spam.