Curl maintainer: AI security reports are no longer slop
The curl project has seen a significant increase in the quality and quantity of security report submissions since returning to Hackerone in March 2026. Reports are now more frequent and detailed, with a higher rate of confirmed vulnerabilities. This trend is not unique to curl, as other open-source projects are experiencing similar patterns in security reporting.
- ▪The curl project shut down its bug-bounty program due to high volumes of low-quality submissions in early 2026.
- ▪Since returning to Hackerone, the frequency of security reports has doubled compared to 2025, with a confirmed vulnerability rate of 15-16%.
- ▪Almost all security reports now utilize AI, leading to higher quality submissions across various open-source projects.
Opening excerpt (first ~120 words) tap to expand
cURL and libcurl High-Quality Chaos April 22, 2026 Daniel Stenberg 7 Comments As I have been preparing slides for my coming talk at foss-north on April 28, 2026 I figured I could take the opportunity and share a glimpse of the current reality here on my blog. The high quality chaos era, as I call it. No more AI slop I complained and I complained about the high frequency junk submissions to the curl bug-bounty that grew really intense during 2025 and early 2026. To the degree that we shut it down completely on February 1st this year. At the time we speculated if that would be sufficient or if the flood would go on. Now we know. Higher volume, higher quality In March 2026, the curl project went back to Hackerone again once we had figured out that GitHub was not good enough.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at daniel.haxx.se.
Discussion
0 commentsMore from daniel.haxx.se
