cURL Developer Stopped Paying for Vulnerabilities Due to AI Spam

The developer of the widely-known cURL utility, used in practically every Linux distribution, as well as in macOS and Windows, has announced the end of the Bug Bounty program that has been in effect since 2019. The reason is simple and telling: the development team simply could not cope with the flood of useless bug reports generated by artificial intelligence and submitted by bounty hunters.

A Bug Bounty program, or a program for rewarding found errors, is a common practice in the world of open source software development. It allows attracting third-party security researchers to search for vulnerabilities in the code, for which they receive monetary rewards. This is beneficial both for developers, who gain the opportunity to improve the security of their product, and for researchers, who can earn money using their expertise.

However, in the case of cURL, the situation got out of control. With the advancement of artificial intelligence technologies, it became possible to automate the process of searching for vulnerabilities. Unscrupulous participants in the Bug Bounty program began using AI to generate a huge number of bug reports, most of which turned out to be false or minor. Checking these reports consumed a huge amount of time and resources from the cURL development team, making the Bug Bounty program unprofitable.

This case raises important questions about the future of Bug Bounty programs in the age of artificial intelligence. On one hand, AI can be a useful tool for automating the search for vulnerabilities and improving the efficiency of security researchers' work. On the other hand, it can also be used for abuse, as happened in the case of cURL. Developers need to adapt their Bug Bounty programs to new realities to prevent similar situations in the future. It may be necessary to implement stricter criteria for selecting bug reports, as well as the use of proprietary AI tools to filter out false positives.

The termination of the Bug Bounty program for cURL may have negative consequences for the security of this utility. The reduction in the number of independent security researchers working to find vulnerabilities could result in some serious errors going unnoticed. Ultimately, this could increase the risk of attacks on systems using cURL.

This incident demonstrates that the development of AI creates new challenges for the information security industry. Developers need to be prepared for these challenges and adapt their methods of work to effectively use the capabilities of AI and protect themselves from its potential threats. Otherwise, we may face a situation where AI, instead of improving security, will contribute to its decline.