The developer behind cURL, one of the Internet’s most popular networking tools, is ending its vulnerability reward program after facing an overwhelming influx of low-quality reports, many of which are AI-generated.
Daniel Stenberg, the founder and lead developer of the open source app cURL, stated on Thursday, “We are just a small single open source project with a small number of active maintainers. It is not in our power to change how all these people and their slop machines work. We need to make moves to ensure our survival and intact mental health.”
This decision follows complaints from cURL users who are concerned that the removal of the program addresses the symptoms caused by AI-generated reports without solving the root problem. They fear that it would remove a critical mechanism for ensuring and maintaining security for the tool. Although Stenberg largely agrees with these concerns, his team has limited options.
In a separate communication on Thursday, Stenberg mentioned, “We will ban you and ridicule you in public if you waste our time on crap reports.” Stenberg later confirmed in a GitHub update that the program's termination will become effective at the end of the month.
First released thirty years ago, cURL, initially called httpget and later urlget, is a critical tool used by administrators, researchers, and security professionals for tasks like file transfers, troubleshooting web software issues, and automating tasks. It is included in default versions of Windows, macOS, and most Linux distributions.
Given its widespread usage, ensuring the security of cURL is of utmost importance. Like other software developers, members of the cURL project have relied on private vulnerability reports from external researchers. To motivate and reward high-quality submissions, they have offered cash bounties for discoveries of high-severity vulnerabilities.