Jonas SchmidJan 26
daniel:// stenberg://

The end of the #curl bug-bounty

https://daniel.haxx.se/blog/2026/01/26/the-end-of-the-curl-bug-bounty/

The end of the curl bug-bounty

tldr: an attempt to reduce the terror reporting. There is no longer a curl bug-bounty program. It officially stops on January 31, 2026. After having had a few half-baked previous takes, in April 2019 we kicked off the first real curl bug-bounty with the help of Hackerone, and while it stumbled a bit at first … Continue reading The end of the curl bug-bounty →

daniel.haxx.se
Jan 26 at 7:25amWeb
Show threaddaniel:// stenberg://Jan 26
The bugbounty crash of 2025 in a single image (from the blog post)
Show threadPoolitzerJan 26

@bagder talking about graphs maybe one showing the payout per month/year might be nice?

"The bugbounty cash"

Show threaddaniel:// stenberg://Jan 26
@poolitzer https://curl.se/dashboard1.html#bug-bounty
Show threaddaniel:// stenberg://Jan 26
@poolitzer there's also this
Show threadPoolitzerJan 26
@bagder should have looked that up first, ofc you had them ready :D
Show threadKevin Karhan Jan 26
@bagder Granted you got flooded with #AIslop pretty hard...
Show threadthedoctorJan 26
@bagder I'm sad this had to happen but I sincerely hope you people will be better off for it.
Show threadAddisonJan 26
@bagder RIP, it was probably one of the best
Show threadAddisonJan 26
@bagder Oh, actually related: the IBB HackerOne listing still lists curl, should this be removed from the IBB listings as well? https://hackerone.com/ibb/policy_scopes
HackerOne

HackerOne
Show threaddaniel:// stenberg://Jan 26
@addison I believe it will be removed by the end of January when this officially goes into effect
Show threadAddisonJan 26
@bagder Gotcha, just wanted to ask to make sure since they were listed separately.
Show threadPoolitzerJan 26
@bagder small grammar/rewrite wording issue in the PR section: "I believe for PRs we have better much means to sort out the weed with automatic means, since we have tools, tests and scanners to verify such contributions."
Show threaddaniel:// stenberg://Jan 26
@poolitzer thanks, fixing!
Show threadPoolitzerJan 26

@bagder happy to help. Now I can claim to have bug fixed curl.

...

Sort of

Show threadcoldclimateJan 26
@bagder great write up. Thanks for all you do
Show threadFrederikJan 26

@bagder

Charging people money in an International context is complicated and a maintenance burden.

I think if it does come to this, you might consider requiring a small donation to a charity? This would dramatically reduce the hassle on all sides, and do something good as a bonus.

Show threaddaniel:// stenberg://Jan 26
@fre receiving money for vulnerability *reports* would not mean that we ship vulnerabilities though...
Show threadFrederikJan 26
@bagder of course not, but I guess someone could spin it like "they now have incentive to publish buggy code", right? Anyway, that wasn't the point of the post and I didn't want to insinuate any bad intentions, sorry. I'll remove that part.
Show threadLord Doctor Olle WJan 26
@bagder I feel that this onslaught of AI slop reports is a DOS attack that weakens the security.
Show threaddaniel:// stenberg://Jan 26
@ollej that is certainly a risk, yes
Show threadGraham Sutherland / PolynomialJan 26
@bagder "not even one in twenty was real" is one of the most damning things I've ever heard about the state of BBPs. that's abysmal.
Show threadjosh g.Jan 26
@bagder
sorry to hear the slop has ruined a good thing. hopefully HackerOne learn from this and start taking stronger steps to curb this issue.
Show threadSean McArthur Jan 26
@bagder yea, GHSA drafts are decent, but I really wish I could disclose a report that has been declined. Github, please?
Show threadSeth LarsonJan 26

@seanmonstar @bagder Yep... I called for exactly this from platforms: https://sethmlarson.dev/slop-security-reports#what-platforms-can-do

Primarily so that maintainers can collaborate against this sort of behavior, but also to make bad actors known.

New era of slop security reports for open source

I'm on the security report triage team for CPython, pip, urllib3, Requests, and a handful of other open source projects. I'm also in a trusted position such that I get "tagged in" to other open sou...

sethmlarson.dev
Show threaddaniel:// stenberg://Jan 26
@sethmlarson @seanmonstar I have a meeting with someone at Github in a few hours. I will bring this up!
Show threadMaeJan 26
@bagder not sure if intentional but the article title from pressmind.org had all of it's polish utf-8 characters replaced with "?"
PressMind Labs: AI, technologie i przyszłość cyfrowego świata

Odkrywaj świat sztucznej inteligencji i nowych technologii. PressMind Labs to magazyn o AI, innowacjach i ideach, które tworzą cyfrową przyszłość.

PressMind Labs: AI, technologie i przyszłość cyfrowego świata
Show threaddaniel:// stenberg://Jan 26
@Mae argh, I think that's just wordpress being annoying... 😕
Show threadTorsten CurdtJan 26

@bagder without reading the article I knew why 😔

Maybe submitting a repot should cost something? The people that are confident about their findings would get the reward that easily pays for that. For the slop that's just too expensive.

Sounds weird but... maybe?

Show threaddaniel:// stenberg://Jan 26
@tcurdt so when you read the post you can read my answer to that question!
Show threadTorsten CurdtJan 26

@bagder

Sorry, I was too quick with my reply 🫣

Yeah, I can see receiving a fee being a pain, too. Especially the uneven barrier to entry feels unfair.

Show threadBrian CampbellJan 26

@bagder Makes sense to end the paid program, given the quantity of slop it was receiving. It's too bad because paid bug bounties can be helpful in surfacing real problems, but it makes sense given the circumstances.

Kind of unfortunate to use an AI slop header image along with it, though, don't you think?

Show threadNicolás AlvarezJan 26
@bagder Where's that header image from?