A project developer for one of the Internet’s most popular networking tools is ending its vulnerability bounty program after being troubled by a spike in low-quality report submissions, much of it AI-generated negligence.
“We’re just a small solo open source project with a small number of active maintainers,” Daniel Steinberg, founder and lead developer of the open source app Curl, said Thursday. “It is not in our power to change the way all these people and their slop machines work. We need to take steps to ensure our survival and intact mental health.”
creation of fake bug
His comments came after Curl users complained that the move was treating the symptoms caused by AI sloppiness without addressing the cause. Users said they were concerned that the move would eliminate a key means of ensuring and maintaining device security. Steinberg largely agreed, but indicated that his team had little choice.
In a separate post Thursday, Steinberg wrote: “If you waste our time on bullshit reports we will ban you and publicly ridicule you.” An update to cURL’s official GitHub account made the termination official, which will take effect later this month.
Curl was first released three decades ago under the name httpget and later urlget. It has since become an indispensable tool among administrators, researchers, and security professionals for a wide range of tasks including file transfer, troubleshooting malfunctioning web software, and automating tasks. Curl is integrated into default versions of Windows, macOS, and most distributions of Linux.
As a widely used tool for interacting with large amounts of data online, security is paramount. Like many other software makers, curl project members have relied on private bug reports submitted by external researchers. To provide incentives and reward high-quality submissions, project members are paid cash rewards in exchange for reports of high-severity vulnerabilities.
<a href