| Location | Brooklyn NY |
| Web | https://mattbrown.dev |
@sarah @pollita Here's Daniel's initial blog post on the matter: https://daniel.haxx.se/blog/2026/01/26/the-end-of-the-curl-bug-bounty/
In the hands of experts, proprietary LLM-assisted security analysis caught 50 bugs/vulnerabilities in Curl: https://daniel.haxx.se/blog/2025/10/10/a-new-breed-of-analyzers/
But commercially-available LLMs make it easy for clueless grifters to submit HackerOne reports, so they had to shut down the whole thing.
tldr: an attempt to reduce the terror reporting. There is no longer a curl bug-bounty program. It officially stops on January 31, 2026. After having had a few half-baked previous takes, in April 2019 we kicked off the first real curl bug-bounty with the help of Hackerone, and while it stumbled a bit at first … Continue reading The end of the curl bug-bounty →
I created two PHP sites in 2011 that are still going, 15 years later. Code that got the job done but was terribly-written. Yesterday I spent a couple of hours with Claude, which modernised the code and eliminated a few egregious vulnerabilities. Some things broke in the migration and optimisation, but they were easy to fix.
It wasn’t worth my time to do this work myself, and paves the way to move a bunch of sites (including psalm.dev) off a $1,000/year server to something much cheaper.