Curl will end its bug bounty program by the end of January due to excessive AI generated reports
Summary
Daniel Stenberg announces that curl will end its bug bounty program by the end of January 2026 due to a flood of AI-generated and low-quality reports that burden the security team. The post explains the intent to focus on real vulnerabilities while continuing to address legitimate security concerns, and also touches on ongoing work like rate limiting, feature plans, and DNS discussions. It provides context on community reporting dynamics and the rationale for throttling noise from submissions.