Curl creator mulls nixing bug bounty awards to stop AI slop

⁨57⁩ ⁨likes⁩

Submitted ⁨⁨1⁩ ⁨week⁩ ago⁩ by ⁨PhilipTheBucket@quokk.au⁩ to ⁨technology@beehaw.org⁩

https://go.theregister.com/feed/www.theregister.com/2025/07/15/curl_creator_mulls_nixing_bug/

source

Comments

Sort:hotnew top

JakenVeina@midwest.social ⁨1⁩ ⁨week⁩ ago
Add a submission fee that gets refunded as part of the bounty payout, or if the reviewer otherwise judges the submission as obviously legitimate.

source
- bamboo@lemmy.blahaj.zone ⁨1⁩ ⁨week⁩ ago
  In the blog post, Daniel does discuss why that is a heavy handed approach:
  
  People mention charging a fee for the right to submit a security vulnerability (that could be paid back if a proper report). That would probably slow them down significantly sure, but it seems like a rather hostile way for an Open Source project that aims to be as open and available as possible. Not to mention that we don’t have any current infrastructure setup for this – and neither does HackerOne. And managing money is painful.
  
  source
  - locuester@lemmy.zip ⁨1⁩ ⁨week⁩ ago
    
    managing money is painful
    
    If only there were an internet programmable money layer….
    
    Really, this is a simple program that could be written on any number of decentralized financial networks. No custodian of the money is required.
    
    It’s a shame everyone rolls their eyes when you mention a programmable money solution tho. Crypto bros really fucked themselves there with all the grifting
    
    source
    -> View More Comments
- jeena@piefed.jeena.net ⁨1⁩ ⁨week⁩ ago
  Oh that is a surprisingly good idea actually.
  
  source
jeena@piefed.jeena.net ⁨1⁩ ⁨week⁩ ago
Paying out money to people who send in bug reports is probably the main problem because it incentivizes them to use AI and send in as many as possible throwing everything against the wall and hoping that something sticks and they get a payout. While this was a good method before AI, now with AI being able to produce reasonable sounding text he needs to stop the money transfer, otherwise they will drown in reports and this number of 5% will get way lower.

source
- bamboo@lemmy.blahaj.zone ⁨1⁩ ⁨week⁩ ago
  Still this seems like a HackerOne problem, they’re acting as the middleman and I assume are taking part of the payout. What are they doing to earn the money they’re taking? The reason to go with HackerOne is to facilitate the interactions with people and pass the reports. It shouldn’t be a Curl maintainers responsibility to spot obvious AI slop. Maybe this is just the tier they’re on with HackerOne, but considering this is HackerOne’s business model, I would imagine that if huge companies are also dealing with this, then HackerOne will loose a lot of clients.
  
  source