Stenberg: The end of the curl bug-bounty program

Curl creator Daniel Stenberg has written a blogpost explaining why the project is ending its bug-bountyprogram, which started in April 2019:

The never-ending slop submissions take a serious mental toll tomanage and sometimes also a long time to debunk. Time and energy thatis completely wasted while also hampering our will to live.

I have also started to get the feeling that a lot of the securityreporters submit reports with a bad faith attitude. These "helpers"try too hard to twist whatever they find into something horribly badand a critical vulnerability, but they rarely actively contribute toactually improve curl. They can go to extreme efforts to argue andinsist on their specific current finding, but not to write a fix orwork with the team on improving curl long-term etc. I don't think weneed more of that.

There are these three bad trends combined that makes us take thisstep: the mind-numbing AI slop, humans doing worse than ever and theapparent will to poke holes rather than to help.

Stenberg writes that he still expects "the best and our mostvalued security reporters" to continue informing the project whensecurity vulnerabilities are discovered. The program will officiallyend on January 31, 2026.