Stenberg: The end of the curl bug-bounty program

Date:
Mon, 26 Jan 2026 16:52:10 +0000

Description:
Curl creator Daniel Stenberg has written a blog
post explaining why the project is ending its bug-bounty
program, which started in April 2019: The never-ending slop submissions take
a serious mental toll to
manage and sometimes also a long time to debunk. Time and energy that
is completely wasted while also hampering our will to live. I have also started to get the feeling that a lot of the security
reporters submit reports with a bad faith attitude. These "helpers"
try too hard to twist whatever they find into something horribly bad
and a critical vulnerability, but they rarely actively contribute to
actually improve curl. They can go to extreme efforts to argue and
insist on their specific current finding, but not to write a fix or
work with the team on improving curl long-term etc. I don't think we
need more of that. There are these three bad trends combined that makes us take this
step: the mind-numbing AI slop, humans doing worse than ever and the
apparent will to poke holes rather than to help. Stenberg writes that he
still expects " the best and our most
valued security reporters " to continue informing the project when
security vulnerabilities are discovered. The program will officially
end on January 31, 2026.

======================================================================
Link to news story:
https://lwn.net/Articles/1055996/


--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet UK HUB @ hub.uk.erb.pw (1337:1/100)