Sara GolemonRE: https://mastodon.social/@bagder/116238308017724408
AI is not your friend, buddy.
Sarah Savage
Matt Brown@sarah @pollita Here's Daniel's initial blog post on the matter: https://daniel.haxx.se/blog/2026/01/26/the-end-of-the-curl-bug-bounty/
In the hands of experts, proprietary LLM-assisted security analysis caught 50 bugs/vulnerabilities in Curl: https://daniel.haxx.se/blog/2025/10/10/a-new-breed-of-analyzers/
But commercially-available LLMs make it easy for clueless grifters to submit HackerOne reports, so they had to shut down the whole thing.
The end of the curl bug-bounty
tldr: an attempt to reduce the terror reporting. There is no longer a curl bug-bounty program. It officially stops on January 31, 2026. After having had a few half-baked previous takes, in April 2019 we kicked off the first real curl bug-bounty with the help of Hackerone, and while it stumbled a bit at first … Continue reading The end of the curl bug-bounty →
@mattbrowndev @pollita thanks! I am really sad to hear that slop has been such a problem.
When I use AI I know its limits and use my own expertise to verify its outcomes. But I can see where slop is a real issue.