The end of the curl bug-bounty
Summary
Daniel Stenberg announces the end of curl's bug-bounty program, effective January 31, 2026, citing a flood of AI-generated and low-quality reports. He notes the program's past success but argues that AI slop and poor reporter behavior have eroded its value, and outlines a shift toward private GitHub vulnerability reporting and no monetary rewards. The post also discusses ongoing security practices and the media coverage surrounding the decision.