Mastodawn

Seems painfully obvious that, whatever you think about #genai code, anyone using it is heading for a code-review logjam. Assuming that the org requires code review; if yours doesn’t, nothing I can say will help you. Anyhow, Rishi Baldawa writes smart stuff about the problem and possible ways forward, in ˚The Reviewer Isn't the Bottleneck”: https://rishi.baldawa.com/posts/review-isnt-the-bottleneck/

[My prediction: A lot of orgs will *not* do smart things about this and will suffer disastrous consequences in the near future.]

The Reviewer Isn't the Bottleneck

AI tools are flooding PR queues and the instinct everywhere is to call review the bottleneck. I think that’s the wrong question. The reviewer is the last sync point before production changes. The goal shouldn’t be how to remove the gate, but how to make it cheaper to operate.

Rishi Baldawa

Show thread

Guillaume Rossolini

@timbray

Curl shut down their bug bounty after six years

Huh? I often see Daniel ranting about this, sure, but I haven’t seen what they’re saying here, and their link doesn’t say that either

[edit] I was wrong, they stopped in January
https://www.theregister.com/2026/01/21/curl_ends_bug_bounty/

Curl shutters bug bounty program to remove incentive for submitting AI slop

: Maintainer hopes hackers send bug reports anyway, will keep shaming ‘silly' ones

The Register

Show thread

Nik Mar 11

@GuillaumeRossolini @timbray https://curl.se/dev/vuln-disclosure.html

> There is no bug bounty and the curl project never offers rewards for reported vulnerabilities.

More in https://daniel.haxx.se/blog/2026/01/26/the-end-of-the-curl-bug-bounty/

curl - Vulnerability Disclosure Policy

Show thread

Guillaume Rossolini Mar 11

@nikclayton yes I completely missed that, my bad