curl Takes July Off After AI Slop Killed Its Bug Bounty

Curl will not accept vulnerability reports for the entire month of July 2026, a move maintainer Daniel Stenberg calls the "curl summer of bliss." The blackout follows a year of AI-generated fake security reports that overwhelmed the bug bounty program, forcing its shutdown in January 2026 and a subsequent restart in March. The team needs time to recover from the deluge of AI slop that collapsed confirmation rates and drained volunteer energy.

curl — the data transfer library running on hundreds of millions of devices — announced today that it won’t accept any vulnerability reports for the entire month of July. Maintainer Daniel Stenberg is calling it the “curl summer of bliss.” The name sounds whimsical. The story behind it is not: AI-generated fake security reports spent most of 2025 destroying curl’s bug bounty program, forced the team to shut it down in January 2026, scramble through a failed GitHub experiment, return to HackerOne in March — and now, simply take a month off to breathe. What the July Blackout Means Starting July 1 at 00:00 CEST, curl’s HackerOne portal goes dark. The security email address becomes a dead end. Submissions resume August 3 at 09:00 CEST. Enterprises with paid support contracts still get coverage — the blackout applies to volunteer-handled public reports, not commercial agreements. The direct casualty: curl 8.22.0, previously slated for mid-August, is now pushed to September 2, 2026 https://daniel.haxx.se/blog/2026/06/15/curl-summer-of-bliss/ . The obvious question: won’t bad actors exploit this gap? Probably not in the way you’d think. Attackers who find real vulnerabilities in curl don’t file HackerOne reports — they exploit them. The people who file reports are researchers. Responsible researchers can wait five weeks. And given what the curl team has been through, they’ve earned it. How AI Broke curl’s Bug Bounty curl ran a HackerOne bug bounty from April 2019 through January 2026. In that time, 87 real vulnerabilities were confirmed and over $100,000 in rewards paid out — a meaningful contribution to the security of software that handles data transfers in essentially every internet-connected device on the planet. That program ended because the economics of AI broke it. Through 2025, Stenberg watched his team’s confirmation rate collapse from a historical 15% to below 5%. By mid-2025, 20% of submissions were what he calls “AI slop” https://daniel.haxx.se/blog/2025/07/14/death-by-a-thousand-slops/ — reports generated by LLMs referencing vulnerabilities that don’t exist, code paths curl doesn’t have, or bugs from old CVE databases that were patched years ago. Seven team members were spending 30 minutes to several hours debunking each one. In one 16-hour window, seven invalid submissions arrived in sequence. Stenberg described the toll as “hampering our will to live.” On January 26, 2026, he killed the program https://daniel.haxx.se/blog/2026/01/26/the-end-of-the-curl-bug-bounty/ . His logic was direct: remove the financial incentive that was drawing sloptimists in the first place. HackerOne’s co-founder acknowledged the industry-wide problem but noted that open-source projects have fewer filtering options than commercial ones — they can’t quietly tighten requirements without breaking their “open” ethos. Related: Agentjacking: The Fake Bug Report That Hijacks Your AI Coding Agent AI Fixed the Quality Problem — and Made the Volume Worse Here’s the counterintuitive part: AI improved. By the time curl returned to HackerOne in March 2026, the slop was largely gone. Confirmation rates recovered to 15–16% — back to pre-slop levels. Stenberg noted that “almost all the bad reports are now gone.” The AI models that used to hallucinate vulnerabilities are now finding real ones. The quality problem solved itself. The volume problem didn’t. Reports now arrive at roughly double the 2025 rate, which was already double prior years. AI-assisted security research is genuinely productive — HackerOne reported a 210% year-over-year increase in valid AI-found vulnerabilities across its platform in 2025. However, each valid report still needs a human to triage, reproduce, patch, and coordinate disclosure. The curl team has the same seven people. The workload has not scaled with the tooling https://www.bleepingcomputer.com/news/security/curl-ending-bug-bounty-program-after-flood-of-ai-slop-reports/ . The Human Side Hasn’t Scaled curl isn’t an outlier. Sixty percent of open-source maintainers work unpaid. Forty-four percent cite burnout as their reason for leaving. In March 2026, Kubernetes retired its Ingress NGINX controller — one of the most-deployed components in the ecosystem — because maintainers stopped patching it. Ghostty implemented a blanket ban on AI-generated contributions. The pattern is consistent: AI tools increase inbound volume faster than volunteer infrastructure can absorb it. The curl summer of bliss is a human story with a technical wrapper. The software that powers data transfers across billions of devices — from enterprise cloud deployments to the firmware in your TV — is maintained by a small group of people who spent 18 months fighting AI-generated noise, and now need five weeks to recover. That’s not a failure of curl. It’s a description of where open-source security infrastructure stands in 2026. Key Takeaways - curl won’t process any vulnerability reports July 1–August 2, 2026; the curl 8.22.0 release moves to September 2 - AI slop destroyed curl’s bug bounty in 2025 20% slop rate, below 5% valid ; the program was ended January 26, 2026 - AI quality improved by March 2026 — reports are mostly legitimate now — but volume doubled, creating a new strain on the same small team - Open-source security maintainers cannot scale human capacity to match AI research volume; the curl vacation is a symptom of a systemic gap that extends well beyond one project