Curl is ending its HackerOne bug bounty program due to a surge of low-quality, often AI-generated vulnerability reports that overwhelmed the small maintenance team. The project will stop offering monetary rewards, accept HackerOne submissions only until January 31, 2026, and move to direct GitHub reporting thereafter. #curl #HackerOne
Keypoints
- Curl is terminating its HackerOne bug bounty after being overloaded with low-effort, AI-generated vulnerability reports.
- The project will no longer provide monetary rewards or assist researchers in obtaining third-party compensation for curl bugs.
- HackerOne submissions are accepted until January 31, 2026; from February 1, 2026 reports should be filed directly via GitHub.
- The change aims to reduce noise, lower the workload on a small maintainer team, and protect developersβ mental health.
- Curl updated its security.txt to reflect the policy, warning that βcrapβ reports may lead to bans and public ridicule, with a blog post to follow for more details.