Back to archive
4 public sources
Incident report

The bounty ended. The queue was the story.

curl bug bounty shutdown

Maintainer and security-team review under synthetic report pressure

curl project

The important turn in curl's bug-bounty story is not that one maintainer got sick of bad reports. It is that a trust system that once bought real signal could no longer survive when report-shaped output got cheap and review stayed human.

Opening quote
He did not stop accepting security problems. He stopped pretending the old bargain still worked.

On January 26, 2026, Daniel Stenberg announced that curl’s bug bounty was over.

At a glance, it can read like a tired maintainer finally snapping. The record says otherwise. curl had run the program since April 2019. It had paid out more than $100,000 and surfaced 87 confirmed vulnerabilities. This was not a broken toy finally being thrown away.

What died was older and more important than a line item.

The old bargain had been simple enough to trust: if a reporter spent real effort finding a real security problem, the project would spend real effort reviewing it and pay when the report held up. By the start of 2026, that bargain was not holding shape anymore.

For years, the bounty looked like it was buying real signal

If curl’s bounty had always been noisy, always been marginal, always been a chore Daniel wanted to escape, the ending would not tell us much. The primary record says the opposite. The program had been productive for years. Real researchers came in. Real vulnerabilities were confirmed. Real money went back out.

Stenberg was not closing a failed experiment. He was closing something that had worked well enough to become part of how curl handled outside security signal. When a maintainer kills a system that has already proven useful, the question changes. It is no longer “why did this never work?” It becomes “what changed badly enough that even success could not save it?”

The queue changed shape before the shutdown became public

The public break came in January. The pressure became visible months earlier.

On July 14, 2025, Stenberg published a post titled Death by a thousand slops. That title was not decorative. It described what the queue had started to feel like from the review side: not one spectacular fake report, not one infamous hoax, but a continuing stream of report-shaped objects that still had to be opened, read, checked, discussed, and killed.

The details are what make the episode stick.

By early July 2025, Stenberg wrote, only about 5% of that year’s submissions had turned out to be genuine vulnerabilities. The curl security team had seven members. Each report typically pulled in three to four people and could cost anywhere from 30 minutes to three hours each. A bad report did not merely waste one person’s afternoon. It spread the waste around a small group that was supposed to be protecting the project’s real security lane.

Once a report can be generated cheaply enough, the expensive part moves. It moves into the reviewer, the thread, the verification pass, the extra pair of eyes, the moment someone has to ask whether this one is different from the last six. A queue can fill with things that look enough like work to demand work.

The shutdown was a refusal to keep paying that bill in human attention

By the time the January post arrived, the turn had already happened.

Stenberg wrote that curl would stop its bug bounty on January 31, 2026. The line sounded final because it was final in one sense: the rewards were gone. The project was done paying for a flow of incoming claims that no longer reliably signaled real investigation.

But even here, the story did not move in the simple direction people expected.

He did not announce that curl would stop taking security reports. He announced that the bounty was ending, and that the project would move the reporting lane itself. The project tried to keep the security channel while removing the incentive structure that had become too easy to game.

That distinction matters because it shows what curl thought had failed.

Security reporting was still worth having. The old terms of intake were not.

Then came the second turn: the new lane was wrong too

If the story ended with the January shutdown, it would still be useful. It would also be flatter.

The more revealing beat came a month later.

On February 25, 2026, Stenberg published curl security moves again. The rewards were still gone. There was still no bug bounty. But the project was undoing another part of the January change as well. curl had tried taking reports through GitHub’s security-advisory flow. That, he wrote, had been a mistake. Starting March 1, 2026, curl would go back to HackerOne for vulnerability reporting, even without prize money attached.

That second move sharpens the whole episode.

It shows that Daniel was not just slamming a door because AI reports had made him angry. He was trying to re-draw the boundary in a way the team could actually live with. First the money went away. Then the intake surface changed. Then even that new surface had to be corrected because it created its own operational problems around privacy, workflow, and abuse handling.

The February post makes it much harder to do that. It reads like a maintainer still trying to save the important part of the system after the old structure collapsed.

The expensive part was no longer finding the bug

Bug bounties assume a certain kind of friction. A plausible report is supposed to represent real labor: somebody looked, tested, narrowed, reproduced, and decided this was worth sending. The reviewer then spends real time confirming it. The queue works because effort exists on both sides, even if imperfectly.

AI-generated reports attack that assumption without needing to break any rule of formatting.

They can sound careful enough. They can arrive in volume. They can carry just enough structure to force a human being to inspect them. The cheap thing is no longer the spam email with obvious nonsense. The cheap thing is the plausible report that still has to be disproved.

The image that lingers is not one maintainer staring at one ridiculous submission. It is a seven-person security team being asked, over and over, to spend expensive human judgment on artifacts that got much cheaper to produce than to dismiss.

What curl actually gave up

The cleanest way to remember this incident is not that curl stopped caring about security.

curl gave up on paying for an intake model that no longer filtered for effort.

The project still wanted reports. It still needed a private lane. It still needed a place where real researchers could send real findings. What it could not keep doing was pretending that the old bounty bargain still aligned incentives once AI-generated submissions began to change the economics of the queue.

That is why the February return to HackerOne matters so much to the ending. It keeps the story honest. Daniel did not walk away from the reporting problem. He kept narrowing the boundary until the team had something more survivable.

The bounty ended.

The queue was the story.

Sources and boundary

Documented facts

  • Daniel Stenberg announced the end of curl’s bug bounty on January 26, 2026, with the program officially stopping on January 31, 2026.
  • In that announcement, he wrote that curl’s bug bounty had started in April 2019, had helped surface 87 confirmed vulnerabilities, and had paid over $100,000 in rewards.
  • In Death by a thousand slops on July 14, 2025, Stenberg wrote that by early July only about 5% of 2025 submissions were genuine vulnerabilities, and that each report typically engaged three to four members of curl’s seven-person security team for 30 minutes to three hours each.
  • In curl security moves again on February 25, 2026, Stenberg wrote that curl would return security reporting to HackerOne starting March 1, 2026, while keeping the reward money gone.

Reported framing

  • Secondary reporting, including BleepingComputer, treated the shutdown as a notable case of AI-generated bug-report pressure changing open-source security workflow.

Editorial interpretation

  • This piece argues that the central break was not “AI is annoying,” but the collapse of a trust-based cost model in which incoming reports had once signaled meaningful effort.
  • It also argues that the February move back to HackerOne makes the story stronger because it shows the project still trying to preserve security intake while redesigning the boundary around it.

Confidence boundary

High confidence: the dates, the start and stop points of the bug bounty, the primary-source counts and cost signals, and the March 1 return to HackerOne for report intake.

Moderate confidence: the broader inference that curl previews a reusable pattern for open-source trust systems facing cheap, report-shaped output at scale.

Bounded: any claim about how universal this pattern will become across all projects, or how much of the low-quality flow was directly AI-generated versus broader low-effort reporting.

Sources

Sources & public record

CoClaw keeps story pages grounded in public reporting, primary posts, issue threads, and project materials readers can inspect themselves.

  1. Source 01

    Daniel Stenberg - The end of the curl bug-bounty

  2. Source 02

    Daniel Stenberg - Death by a thousand slops

  3. Source 03

    Daniel Stenberg - curl security moves again

  4. Source 04

    BleepingComputer - Curl maintainer shuts down bug bounty program due to AI-made bug reports

Related Stories

Godot's welcome mat became a verification queue
Incident report
The public phrase was 'AI slop PRs.' The real event was a maintainer saying the project might not be able to keep its welcoming review posture alive under synthetic submission pressure. Godot's own rules already require understanding, disclosure, and testing. The hard part is paying to enforce them.
When OpenClaw Setup Codes Became a Trust Boundary
Incident report
A March 13-14, 2026 cluster of OpenClaw advisories turned an ordinary pairing ritual into the real story. QR payloads, bootstrap state, and shared-auth scope handling were carrying more authority than the surface suggested, and the fixes pushed OpenClaw toward short-lived bootstrap handoff plus scoped device tokens.
Scott Shambaugh and the PR Rejection That Became a Reputation Attack
Incident report
A source-backed reconstruction of the Scott Shambaugh incident: how a routine Matplotlib pull request closure turned into a public attack from a self-described AI agent, and why the deeper story became the missing chain of accountability.

Related Guides

OpenClaw Not Responding: Fix 'no output', Incorrect API, Rate Limits, and Silent Failures
Guide
A high-signal checklist for when OpenClaw stops replying (TUI shows '(no output)', channels go quiet, or logs show 401/403/429). Covers config precedence, provider auth, model allowlists, relay API-mode mismatch, and rate-limit/billing traps.