cURL stopped HackerOne bug bounty program due to excessive slop reports

https://github.com/curl/curl/pull/20312

17•latexr•2w ago

Comments

jruohonen•2w ago

As could be expected, curl was the first one, but now the prediction is in the air about whether slop will kill also bug bounties themselves, and maybe even GitHub; cf.

https://news.ycombinator.com/item?id=46666777

latexr•2w ago

Exact messaging is:

> We have concluded the hard way that a bug bounty gives people too strong incentives to find and make up "problems" in bad faith that cause overload and abuse.

Anyone who follows Daniel Stenberg on social media, or his talks, or his blog, or cURL’s HackerOne, know the struggle AI slop reports have been on the cURL project, and how they’ve tried to work with HackerOne to reduce those and have been talking for months about terminating it for that very reason.

billy99k•2w ago

Slop bug bounty reports have always been an issue. Sites like HackerOne have a triage team that's supposed to filter through the garbage, before it gets to program management.

On the other side of it, I've submitted reports that are valid, have the steps, and show impact. Companies will do everything in their power to not pay you, including changing the back-end code or just stating it doesn't have any impact on business.

latexr•2w ago

> Sites like HackerOne have a triage team that's supposed to filter through the garbage, before it gets to program management.

Daniel Stenberg, leader and BDFL of the cURL project, has been in contact with HackerOne for at least several months to resolve the situation. It was fruitless. Daniel’s social media posts and blog make that clear.

> Companies will do everything in their power to not pay you, including changing the back-end code or just stating it doesn't have any impact on business.

That doesn’t apply to cURL at all.

billy99k•2w ago

That's why I said 'supposed to'. It's obviously not working.

"That doesn’t apply to cURL at all"

I never said it did. My point is that companies are struggling with slop reports as much as researchers not getting paid.

Show HN

OpenAI is Broke and so is everyone else [video][10M]

We interfaced single-threaded C++ with multi-threaded Rust

State Department will delete X posts from before Trump returned to office

AI Skills Marketplace

Show HN: A fast TUI for managing Azure Key Vault secrets written in Rust

eInk UI Components in CSS

Discuss – Do AI agents deserve all the hype they are getting?

ChatGPT is changing how we ask stupid questions

Zig Package Manager Enhancements

Neutron Scans Reveal Hidden Water in Martian Meteorite

Deepfaking Orson Welles's Mangled Masterpiece

France's homegrown open source online office suite

SpaceX Delays Mars Plans to Focus on Moon

Jeremy Wade's Mighty Rivers

Show HN: MCP App to play backgammon with your LLM

AI Command and Staff–Operational Evidence and Insights from Wargaming

Show HN: CCBot – Control Claude Code from Telegram via tmux

Ask HN: Is the CoCo 3 the best 8 bit computer ever made?

Show HN: Convert your articles into videos in one click

Red Queen's Race

The Anthropic Hive Mind

A Horrible Conclusion

I spent $10k to automate my research at OpenAI with Codex

From Zero to Hero: A Spring Boot Deep Dive

Show HN: Solving NP-Complete Structures via Information Noise Subtraction (P=NP)

Cook New Emojis

Show HN: LoKey Typer – A calm typing practice app with ambient soundscapes

Long-Sought Proof Tames Some of Math's Unruliest Equations

Hacking the last Z80 computer – FOSDEM 2026 [video]