Skip to content

Can the OS bug bounty system survive the AI tsunami? cURL, HackerOne

We spoke to cURL creator and HackerOne co-founder about whether bug bounties can survive AI.

Can the OS bug bounty system survive the AI tsunami? cURL, HackerOne
Image credit: https://unsplash.com/@kasiade

The widely used open-source CLI app for downloading files, cURL, has taken its bug bounty programme off HackerOne. Daniel Stenberg, who founded the project 30 years ago, is hoping to send a message: no more AI slop bug reports. 

Bug bounties have been a good thing for the open source community Stenberg told The Stack, but an overwhelming number of low-quality reports in recent months is putting that system at risk.

cURL has found approximately 87 confirmed vulnerabilities by offering bug bounties and paid out “over $100,000 in rewards,” according to the project's founder.

The project's HackerOne profile shows 82 resolved reports and $16,300 paid out to developers since the page went live in April 2019. 

Yet, the cURL HackerOne page now sports a pop-up saying it no longer accepts submissions and the bug bounty file on cURL’s GitHub repository states the programme “is no more."

HackerOne’s co-founder Michiel Prins says there are options to mitigating AI-generated bug reports that don’t require pulling bounties altogether, but FOSS’s “open” principles and limited resources mean those levers may be harder to pull. 

This content is for members only

Subscribe
Add The Stack on Google