cURL stopped HackerOne bug bounty program due to excessive slop reports

https://github.com/curl/curl/pull/20312

17•latexr•2w ago

Comments

jruohonen•2w ago

As could be expected, curl was the first one, but now the prediction is in the air about whether slop will kill also bug bounties themselves, and maybe even GitHub; cf.

https://news.ycombinator.com/item?id=46666777

latexr•2w ago

Exact messaging is:

> We have concluded the hard way that a bug bounty gives people too strong incentives to find and make up "problems" in bad faith that cause overload and abuse.

Anyone who follows Daniel Stenberg on social media, or his talks, or his blog, or cURL’s HackerOne, know the struggle AI slop reports have been on the cURL project, and how they’ve tried to work with HackerOne to reduce those and have been talking for months about terminating it for that very reason.

billy99k•2w ago

Slop bug bounty reports have always been an issue. Sites like HackerOne have a triage team that's supposed to filter through the garbage, before it gets to program management.

On the other side of it, I've submitted reports that are valid, have the steps, and show impact. Companies will do everything in their power to not pay you, including changing the back-end code or just stating it doesn't have any impact on business.

latexr•2w ago

> Sites like HackerOne have a triage team that's supposed to filter through the garbage, before it gets to program management.

Daniel Stenberg, leader and BDFL of the cURL project, has been in contact with HackerOne for at least several months to resolve the situation. It was fruitless. Daniel’s social media posts and blog make that clear.

> Companies will do everything in their power to not pay you, including changing the back-end code or just stating it doesn't have any impact on business.

That doesn’t apply to cURL at all.

billy99k•2w ago

That's why I said 'supposed to'. It's obviously not working.

"That doesn’t apply to cURL at all"

I never said it did. My point is that companies are struggling with slop reports as much as researchers not getting paid.

Feedback on a client-side, privacy-first PDF editor I built

Clay Christensen's Milkshake Marketing (2011)

Show HN: WeaveMind – AI Workflows with human-in-the-loop

Show HN: Seedream 5.0: free AI image generator that claims strong text rendering

A contributor trust management system based on explicit vouches

Show HN: Analyzing 9 years of HN side projects that reached $500/month

The Floating Dock for Developers

Arcan Explained – A browser for different webs

We are not scared of AI, we are scared of irrelevance

Quartz Crystals

Show HN: I built a free dictionary API to avoid API keys

Show HN: Kybera – Agentic Smart Wallet with AI Osint and Reputation Tracking

Show HN: brew changelog – find upstream changelogs for Homebrew packages

Any chess position with 8 pieces on board and one pair of pawns has been solved

LLMs as Language Compilers: Lessons from Fortran for the Future of Coding

Projecting high-dimensional tensor/matrix/vect GPT–>ML

Show HN: Free Bank Statement Analyzer to Find Spending Leaks and Save Money

Our Stolen Light

Matchlock: Linux-based sandboxing for AI agents

Show HN: A2A Protocol – Infrastructure for an Agent-to-Agent Economy

Drinking More Water Can Boost Your Energy

Proving Laderman's 3x3 Matrix Multiplication Is Locally Optimal via SMT Solvers

Fire may have altered human DNA

"Compiled" Specs

The Next Big Language (2007) by Steve Yegge

Open-Weight Models Are Getting Serious: GLM 4.7 vs. MiniMax M2.1

Using AI for Code Reviews: What Works, What Doesn't, and Why

Show HN: Solnix – an early-stage experimental programming language

DoNotNotify is now Open Source

The British Empire's Brothels