Overview
- The project confirmed on its GitHub account that the vulnerability reward program will terminate at the end of January.
- Lead developer Daniel Stenberg said the maintainers have been overrun by low-quality, often AI-generated reports, jeopardizing team capacity and mental health.
- Stenberg warned that reporters who submit low-value "crap" will face bans and public ridicule.
- Some users expressed concern that eliminating payments removes a key incentive for high-quality vulnerability disclosures.
- The team emphasized that well-prepared bug reports remain welcome, including AI-assisted findings that follow cURL’s AI usage rules.