Open source code library cURL is removing the possibility to earn money by reporting bugs, hoping that this will reduce the volume of AI slop reports. Joshua Rogers – AI wielding bug hunter of fame – thinks it's a great idea.
cURL has been flooded with AI-generated error reports. Now one of the incentives to create them will go away.
The vast majority of AI-generated error reports submitted to cURL are pure nonsense. Other open source projects are caught in the same pandemic.
cURL maintainer Daniel Stenberg made an impact with his reporting on AI-generated bug reports last year – ”Death by a thousand slops.”
Determining that they are nonsense is time-consuming, causing the maintainers lots of extra work.
”AI slop and bad reports in general have been increasing even more lately, so we have to try to brake the flood in order not to drown”, says cURL maintainer Daniel Stenberg to Swedish electronics industry news site etn.se.
Therefore, cURL is terminating the bounty payouts as of the end of January.
“We hope this removes some of the incentives for people to send us garbage. We spend far too much time handling slop due to findings that are not real, exaggerated, or misunderstood.”
Not all AI-generated bug reports are nonsense. It’s not possible to determine the exact share, but Daniel Stenberg knows of more than a hundred good AI assisted reports that led to corrections.
In total, 87 bug reports to cURL have over the years amounted to USD 101,020 in bounties.
How many of them would have gone under the radar if the bounty money had not existed?
Elektroniktidningen passes that question on to debugging champion Joshua Rogers, who last year flooded open source projects with bug reports – good reports.
Interestingly, his reports were generated with the help of AI tools. But he doesn’t just vibe along in the dark — he reviews and adds to AI's analysis before submitting anything.
Despite being an active code vulnerabilities hunter himself, he thinks removing the bounty money is a stellar idea ; something that should have been done a long time ago. He documented that view in a 2025 year-end posting.
“I think it's a good move and worth a bigger consideration by others. It's ridiculous that it went on for so long to be honest, and I personally would have pulled the plug long ago,” he says to etn.se.
But without the bounties an incentive to do code reviews disappears?
”*An incentive*, but not all,” he comments, ”especially for anything that will be reported which actually matters”.
So you think the effect won’t be that big?
“Not much. The real incentive for finding a vulnerability in cURL is the fame ('brand is priceless'), not the hundred or few thousand dollars. $10,000 (maximum cURL bounty) is not a lot of money in the grand scheme of things, for somebody capable of finding a critical vulnerability in curl.”
He realizes, though, that not everyone might share that attitude.
“My view is that there is an asymmetric relationship between developers (open source or not) and so-called "security researchers" (or even real security researchers). Regardless of whether the researchers are in expensive or cheap countries, the value provided to the developer is the same. However, on the flipside, the value of a bounty is not the same for every reporter -- in low socio-economic locations, a reward which would be the cost of lunch in Sweden can be massive for those low socio-economic-located people,” says Joshua Rogers.