Curl is inundated with AI-generated error reports. Now one incentive to make them will be lost.
Most AI-generated error reports submitted to cURL are pure nonsense. Other open source projects are also caught in the same epidemic.
Curl maintainer Daniel Steinberg made an impact last year with his reporting on AI-generated bug reports – “death by a thousand slops.”
Determining whether they are rubbish is time-consuming, requiring a lot of extra work for maintainers.
 |
| Daniel steinberg |
“AI dysfunction and bad reports have been increasing even more recently, so we have to try to stem the flood to avoid drowning,” says Daniel Stenberg, curl maintainer at Swedish electronics industry news site etn.se.
Therefore, Curl is ending bounty payments by the end of January.
“We hope this will give people some incentive to send us trash. We spend too much time dealing with the mess caused by findings that aren’t real, are exaggerated, or are misunderstood.”
Not all AI-generated bug reports are nonsense. It is not possible to determine the exact stake, but Daniel Steinberg knows of over a hundred good AI assisted reports that led to improvements.
In total, the 87 bug reports sent to CURL over the past few years amounted to US$101,020.
How many of them would have gone under the radar if reward money didn’t exist?
Elektroniktidningen sends that question to debugging champion Joshua Rogers, who flooded open source projects with bug reports last year – good report.
Interestingly, their reports were prepared with the help of AI tools. But he doesn’t just wander around in the dark – he reviews and adds to the AI’s analysis before submitting anything.
Despite being an active code vulnerability hunter himself, he believes removing the bounty is an excellent idea; Something that should have been done a long time ago. He documented that scenario in a 2025 year-end posting.
 |
| joshua rogers |
“I think it’s a good move and something that others should pay more attention to. Honestly, it’s ridiculous that it’s gone on for so long and I personally would have stopped it a long time ago,” he tells etn.se.
But without a reward the incentive to do code reviews disappears?
“*An incentive*, but not all,” he comments, “especially for anything that will be reported that really matters”.
So do you think the impact won’t be that big?
“Not much. The real incentive for finding a vulnerability in Curl is fame (‘the brand is priceless’), not a hundred or a few thousand dollars. $10,000 (the maximum Curl reward) isn’t a lot of money in the grand scheme of things, for someone able to find a serious vulnerability in Curl.”
However, she realizes that not everyone may share that attitude.
“My view is that there is an asymmetric relationship between developers (open source or not) and so-called “security researchers” (or even actual security researchers). Regardless of whether the researchers are in expensive or cheap countries, the value provided to the developer is the same. However, on the other hand, the value of the reward is not the same for every reporter – in low socio-economic locations, a reward that would cost a lunch in Sweden may be larger for those in a lower socio-economic position, “Joshua says Rogers.
<a href