Starting January 31, 2026, Curl will discontinue its Bug Bounty Program. This comes after an announcement from the founder and lead developer, Daniel Stenberg aka Badger. With the uptrend of AI in infosec, more AI slop submissions are creating a greater workload for the security team with no fruitful results.

Looking through the public reports submitted on HackerOne, you can see the load of garbage submitted. Badger does not hold back on calling out submission authors for not understanding how the program works, non vulnerable bugs, and using AI to generate slop reports. In a comment from Piotr P. Karwasz, Apache Logging developer, he states that Apache Log4j is currently dealing with the same issues. They are currently adjusting their bug bounty program to remedy the issue, but if it fails, they will close their program by the end of February 2026.

Even though they are ending their Bug Bounty Program, it does not mean they are no longer taking reports. The main idea is not to incentivise poor mass reports. Security issues can be submitted to their GitHub or emailed directly to the curl security team with no monetary reward offered.