cURL the ubiquitous command-line tool for transferring data, has officially announced the termination of its vulnerability reporting program on HackerOne. The project will accept its final bug reports through the platform on January 31, 2026. Moving forward, security researchers must report issues directly via the project's GitHub repository.
The "AI Fatigue" Factor
The decision stems from a growing frustration voiced by Daniel Stenberg, the creator of cURL. Stenberg has previously criticized the current state of bug reporting in the age of Artificial Intelligence. The project has been overwhelmed by low-quality, "fake" vulnerability reports—mostly generated by AI tools—that require significant time and resources from the limited core team to investigate and debunk.
By eliminating the financial incentive (Bug Bounty), Stenberg aims to deter "point-and-click" reporters using AI to hunt for rewards and instead focus on high-quality, manual research from the security community.
An Unexplained Target
Interestingly, Stenberg noted that throughout 2025, cURL was targeted by AI-generated reports at a disproportionately higher rate compared to other projects on the HackerOne platform. "I don't quite understand why cURL became the primary target for this," Stenberg remarked, promising to provide a more detailed post-mortem explanation of the decision next week.
- The problem the cURL team encountered wasn't just the sheer volume of reports, but the AI's "hallucinate" of vulnerabilities by referencing non-existent code or misinterpreting memory usage. Hackers focused on maximizing contributions often copy-paste these reports without verification.
- For open-source projects with few volunteers, spending hours daily reading junk reports is a significant burnout factor. Removing monetary rewards is therefore the most effective way to filter out unscrupulous individuals, as genuine researchers are more likely to contribute to software development without monetary compensation.
- The reason cURL is a prime target in 2025 may be because it's used in almost every device in the world, from refrigerators to cars, and has a vast amount of documentation. This means AI models are trained to "know" cURL's code well, making it easy for users to instruct the AI to search for vulnerabilities.
- This move could be the beginning of a new trend where smaller open-source projects move away from centralized platforms like HackerOne or Bugcrowd and return to traditional Vulnerability Disclosure Policy (VDP) systems that emphasize direct relationships with researchers.
OpenAI uses a single, global PostgreSQL cluster, indicating it has a long way to go.
No comments:
Post a Comment