Curl pauses security reports again as maintainers are overwhelmed with AI-generated bug reports

From July 1st to August 3rd, 2026, the Curl project won’t accept or handle any vulnerability reports. The submission form on HackerOne will be temporarily closed during this period.

In addition, developers won’t check the security vulnerability email address during that time. The reporting of any security issues will simply have to wait. Curl’s issue and pull-request trackers on GitHub remain open and active like normal.

Due to the temporary break, the next version of Curl will be released later. Curl 8.22.0 was scheduled for release in August, but will be postponed to September 2nd.

Curl lead developer Daniel Stenberg calls it the “Curl summer of bliss,” giving Curl maintainers the time and opportunity to chill and relax because they’ve been under a lot of pressure the last four months.

“Now we need some rest. We do not expect this deluge to be over,” Stenberg says.

The number of AI-generated vulnerability reports has increased significantly in recent months, which is often referred to as “AI slop.” That’s why, in January, Curl decided to terminate bug bounty payouts.

“The never-ending slop submissions take a serious mental toll to manage and sometimes also a long time to debunk. Time and energy that is completely wasted while also hampering our will to live,” Stenberg said at the time.

Other companies resolved the issue of AI-generated nonsense bug reports the same way.

HackerOne paused its Internet Bug Bounty program, Google is rejecting AI-created reports, and the Linux Foundation raised $12.5 million in emergency funding because AI tools are finding security problems faster than people can fix them.

In April, Nextcloud admitted it was being flooded with worthless AI-generated reports. Because of this, the company decided to end its bug bounty program.

“Like many other software projects, we have been receiving an increasing number of generic AI security reports via platforms such as HackerOne for some time now. This makes it difficult for us to identify high-quality reports. Our aim is to reduce the number of low-effort AI-generated reports and focus on what really matters,” the cloud service provider said.