The developer of projects for one of the Internet’s most popular networking tools is scrapping its vulnerability bounty program after being plagued by a surge in low-quality reporting, much of it AI-generated garbage.
“We are just a small open source project with a small number of active maintainers,” said Daniel Stenberg, founder and lead developer of the open source cURL application. said Thursday. “It is not in our power to change the way all these people and their waste machines work. We need to take action to ensure our survival and our mental health intact.”
Fabricate false errors
His comments came as cURL users complained that the move was treating symptoms caused by AI without addressing the cause. Users said they were concerned that the move would remove a key means of ensuring and maintaining the security of the tool. Stenberg largely agreed, but indicated his team had no choice.
in a separate post On Thursday, Stenberg wrote: “We will ban and ridicule you in public if you waste your time with garbage reporting.” A update cURL’s official GitHub account made the termination official, which will take effect at the end of this month.
cURL was first launched three decades ago, under the name httpget and then urlget. Since then, it has become an indispensable tool among administrators, researchers, and security professionals, among others, for a wide range of tasks, including file transfers, troubleshooting faulty web software, and automating tasks. cURL is built into default versions of Windows, macOS, and most Linux distributions.
As a tool widely used to interact with large amounts of data online, security is paramount. Like many other software makers, members of the cURL project have relied on private bug reports submitted by outside researchers. To provide an incentive and reward high-quality submissions, project members have paid cash rewards in exchange for high-severity vulnerability reports.
