Skip to content
The AI-First Web

curl Will Refuse All Vulnerability Reports for the Entire Month of July. AI-Generated Slop Reports Killed the Bug Bounty Program.

Daniel Stenberg shut down curl's HackerOne bug bounty in January 2026 after AI-generated reports flooded the queue with fabricated vulnerabilities. Now the project is closing submissions entirely for July — a 'summer of bliss.' 466 Hacker News points. The security infrastructure humans built is breaking under AI noise.

· 6 min read
Share on X LinkedIn
curl Will Refuse All Vulnerability Reports for the Entire Month of July. AI-Generated Slop Reports Killed the Bug Bounty Program.

A Month Without Vulnerability Reports

On June 15, 2026, curl maintainer Daniel Stenberg announced that the curl project will not accept any vulnerability reports during the entire month of July 2026. The HackerOne submission form will be paused from July 1 through August 3. No CVE assignments, no security advisories, no triage, no review. The most widely deployed HTTP client library in the world — used in virtually every operating system, every container image, every CI/CD pipeline — will have a closed door for security reports for 34 days.

The announcement hit 466 points on Hacker News, resonating with a development community drowning in the same problem. The reason is not burnout from real vulnerabilities. It is burnout from AI-generated slop — fabricated vulnerability reports produced by AI tools that sound authoritative, reference real code paths, cite plausible attack vectors, and are entirely fictional. Each one requires the same triage effort as a real report. The signal-to-noise ratio has collapsed.

July 1 – August 3, 2026
Submission pause
34 days with no vulnerability reports accepted. Source: daniel.haxx.se, June 15, 2026.
Shut down January 2026
Bug bounty program
Due to AI-generated report flooding. Source: daniel.haxx.se.
466 points, 188 comments
Hacker News response
Widespread developer community resonance. Source: Hacker News, June 15, 2026.

How AI Slop Killed Bug Bounties

The timeline tells the story. Bug bounty platforms like HackerOne incentivize vulnerability discovery with financial rewards. AI tools — ChatGPT, Claude, Gemini, and specialized 'AI pentest' tools — can generate plausible-looking vulnerability reports in seconds. Aspiring bounty hunters use AI to mass-produce reports, submit them across hundreds of projects, and hope that some percentage result in payouts. The AI reports are grammatically polished, technically detailed, and frequently wrong.

For a project like curl, which has a small maintainer team (essentially Stenberg and a handful of contributors), each report requires reading, understanding, attempting to reproduce, and writing a response. A fabricated report about a buffer overflow in a function that handles edge cases in HTTP/2 header parsing requires the same investigation effort as a real one — until the maintainer discovers it describes behavior that does not exist. Multiply this by dozens of AI-generated reports per week, and the maintainer's time is consumed by fiction.

The Meta-Pattern: AI Degrading Security Infrastructure

curl is not alone. The pattern is appearing across open source security infrastructure. Maintainers of Linux kernel subsystems, OpenSSL, and Python's standard library have reported similar floods. The OWASP prompt injection report (340% surge in 2026) documents the offensive side. The curl story documents the defensive side: the infrastructure that exists to find and fix vulnerabilities is being overwhelmed by AI-generated noise that mimics the shape of vulnerability reports without containing actual vulnerabilities.

This is a second-order effect of AI capability that the AI safety conversation has largely ignored. The threat is not that AI finds real vulnerabilities (that would be valuable). The threat is that AI generates convincing-looking fake vulnerability reports at a volume that makes the real ones impossible to find. The security researchers who would be triaging real curl vulnerabilities in July 2026 will not be doing that work. Any real vulnerability discovered during that window will wait 34 days for review.

What This Means for the Web

curl is a dependency of virtually every web framework. WordPress uses it. Next.js's server-side fetching uses it. FastAPI's httpx uses it. Django's requests library uses it. A vulnerability in curl affects every web application in existence. The project's decision to close vulnerability intake for a month means that any curl vulnerability discovered in July 2026 will remain unpatched and unacknowledged for at least 34 days — in the HTTP library that underpins the internet.

The broader implication is that open source security depends on human attention, and human attention is a finite resource being consumed by AI-generated noise. The frameworks that minimize their dependency surface — static site generators with zero runtime HTTP dependencies, compiled languages with vendored libraries — are structurally less exposed to this risk. The frameworks that maximize their dependency surface — WordPress with 78,000 plugins, each with their own dependency trees — are structurally more exposed. The security of the web is only as strong as the humans who have time to review the reports.

Share this insight