The onslaught includes LLMs finding bogus vulnerabilities and code that won't compile.

The project developer for one of the Internet’s most popular networking tools is scrapping its vulnerability reward program after being overrun by a spike in the submission of low-quality reports, much of it AI-generated slop.

“We are just a small single open source project with a small number of active maintainers,” Daniel Stenberg, the founder and lead developer of the open source app cURL, said Thursday. “It is not in our power to change how all these people and their slop machines work. We need to make moves to ensure our survival and intact mental health.”

  • KissakiEnglish
    7·
    12 hours ago

    relevant, from a PR comment

    On Monday January 26, 2026, I intend to merge this pull-request and post an explainer blog post detailing some further reasoning and details behind this move. The change, the end of the bounty, is officially set for January 31 but I am certain it will take some days to “take effect” and by merging the update a few days early I don’t think we actually hurt anyone.