> We have concluded the hard way that a bug bounty gives people too strong incentives to find and make up "problems" in bad faith that cause overload and abuse.
Anyone who follows Daniel Stenberg on social media, or his talks, or his blog, or cURL’s HackerOne, know the struggle AI slop reports have been on the cURL project, and how they’ve tried to work with HackerOne to reduce those and have been talking for months about terminating it for that very reason.
On the other side of it, I've submitted reports that are valid, have the steps, and show impact. Companies will do everything in their power to not pay you, including changing the back-end code or just stating it doesn't have any impact on business.
Daniel Stenberg, leader and BDFL of the cURL project, has been in contact with HackerOne for at least several months to resolve the situation. It was fruitless. Daniel’s social media posts and blog make that clear.
> Companies will do everything in their power to not pay you, including changing the back-end code or just stating it doesn't have any impact on business.
That doesn’t apply to cURL at all.
"That doesn’t apply to cURL at all"
I never said it did. My point is that companies are struggling with slop reports as much as researchers not getting paid.
jruohonen•1h ago
https://news.ycombinator.com/item?id=46666777