cURL stopped HackerOne bug bounty program due to excessive slop reports

https://github.com/curl/curl/pull/20312

17•latexr•2w ago

Comments

jruohonen•2w ago

As could be expected, curl was the first one, but now the prediction is in the air about whether slop will kill also bug bounties themselves, and maybe even GitHub; cf.

https://news.ycombinator.com/item?id=46666777

latexr•2w ago

Exact messaging is:

> We have concluded the hard way that a bug bounty gives people too strong incentives to find and make up "problems" in bad faith that cause overload and abuse.

Anyone who follows Daniel Stenberg on social media, or his talks, or his blog, or cURL’s HackerOne, know the struggle AI slop reports have been on the cURL project, and how they’ve tried to work with HackerOne to reduce those and have been talking for months about terminating it for that very reason.

billy99k•2w ago

Slop bug bounty reports have always been an issue. Sites like HackerOne have a triage team that's supposed to filter through the garbage, before it gets to program management.

On the other side of it, I've submitted reports that are valid, have the steps, and show impact. Companies will do everything in their power to not pay you, including changing the back-end code or just stating it doesn't have any impact on business.

latexr•2w ago

> Sites like HackerOne have a triage team that's supposed to filter through the garbage, before it gets to program management.

Daniel Stenberg, leader and BDFL of the cURL project, has been in contact with HackerOne for at least several months to resolve the situation. It was fruitless. Daniel’s social media posts and blog make that clear.

> Companies will do everything in their power to not pay you, including changing the back-end code or just stating it doesn't have any impact on business.

That doesn’t apply to cURL at all.

billy99k•2w ago

That's why I said 'supposed to'. It's obviously not working.

"That doesn’t apply to cURL at all"

I never said it did. My point is that companies are struggling with slop reports as much as researchers not getting paid.

FSD helped save my father's life during a heart attack

Show HN: Writtte – Draft and publish articles without reformatting, anywhere

Portuguese icon (FROM A CAN) makes a simple meal (Canned Fish Files) [video]

Brookhaven Lab's RHIC Concludes 25-Year Run with Final Collisions

Transcribe your aunts post cards with Gemini 3 Pro

.72% Variance Lance

ReKindle – web-based operating system designed specifically for E-ink devices

Encrypt It

NextMatch – 5-minute video speed dating to reduce ghosting

Personalizing esketamine treatment in TRD and TRBD

SpaceKit.xyz – a browser‑native VM for decentralized compute

NotebookLM: The AI that only learns from you

Show HN: An open-source starter kit for developing with Postgres and ClickHouse

Game Boy Advance d-pad capacitor measurements

South Korean crypto firm accidentally sends $44B in bitcoins to users

Apache Poison Fountain

Web.whatsapp.com appears to be having issues syncing and sending messages

Google in Your Terminal

Shannon: Claude Code for Pen Testing: #1 on Github today

Anthropic: Latest Claude model finds more than 500 vulnerabilities

Brooklyn cemetery plans human composting option, stirring interest and debate

Why the 'Strivers' Are Right

Brain Dumps as a Literary Form

Agentic Coding and the Problem of Oracles

Malicious packages for dYdX cryptocurrency exchange empties user wallets

Show HN: I built a <400ms latency voice agent that runs on a 4gb vram GTX 1650"

Penisgate erupts at Olympics; scandal exposes risks of bulking your bulge

Arcan Explained: A browser for different webs

What did we learn from the AI Village in 2025?

An open replacement for the IBM 3174 Establishment Controller