Stenberg: The end of the curl bug-bounty program

Curl creator Daniel Stenberg has written a blog
post explaining why the project is ending its bug-bounty
program, which started in April 2019:

The never-ending slop submissions take a serious mental toll to
manage and sometimes also a long time to debunk. Time and energy that
is completely wasted while also hampering our will to live.

I have also started to get the feeling that a lot of the security
reporters submit reports with a bad faith attitude. These “helpers”
try too hard to twist whatever they find into something horribly bad
and a critical vulnerability, but they rarely actively contribute to
actually improve curl. They can go to extreme efforts to argue and
insist on their specific current finding, but not to write a fix or
work with the team on improving curl long-term etc. I don’t think we
need more of that.

There are these three bad trends combined that makes us take this
step: the mind-numbing AI slop, humans doing worse than ever and the
apparent will to poke holes rather than to help.

Stenberg writes that he still expects “the best and our most
valued security reporters” to continue informing the project when
security vulnerabilities are discovered. The program will officially
end on January 31, 2026.