cURL Removes Bug Bounties (etn.se)
- Reference: 0180628458
- News link: https://it.slashdot.org/story/26/01/20/2251253/curl-removes-bug-bounties
- Source link: https://etn.se/index.php/72808
> "Open source code library cURL is [2]removing the possibility to earn money by reporting bugs , hoping that this will reduce the volume of AI slop reports," reports etn.se. "Joshua Rogers -- AI wielding bug hunter of fame -- thinks it's a great idea." cURL maintainer Daniel Stenberg famously reported on the flood AI-generated bad bug reports last year -- " [3]Death by a thousand slops ." Now, cURL is removing the bounty payouts as of the end of January.
>
> "We have to try to brake the flood in order not to drown," says cURL maintainer Daniel Stenberg [...]. "Despite being an AI wielding bug hunter himself, Joshua Rogers -- slasher of a hundred bugs -- thinks removing the bounty money is an excellent idea. [...] I think it's a good move and worth a bigger consideration by others. It's ridiculous that it went on for so long to be honest, and I personally would have pulled the plug long ago," he says to etn.se.
[1] https://slashdot.org/~jantangring
[2] https://etn.se/index.php/72808
[3] https://daniel.haxx.se/blog/2025/07/14/death-by-a-thousand-slops/
This is one of the problems with "AI" (Score:3)
It's not that it's inherently incapable of producing good results it's that people abuse it through ignorance, incompetence or just a lack of care and create a flood of shite for others to wade through to find the small nuggets of gold. That mountain of shite severely holds back the progress of programmers who have to review it. Same with art,websites,video all have the same AI problem.
Re: (Score:3)
Indeed. A good dev will use AI to submit a better PR. A bad dev will use AI to submit more PRs. If the goal is getting a PR that hits the money ball, guess which strategy works better? If the boss isn't a programmer, guess which dev gets favored?
Re: (Score:2)
Isn't what you're saying *precisely* that AI is inherently incapable of producing good results? You're literally saying that an AI can't judge if what it produces is fit for purpose. So all the intelligence must reside in the human user.
That's not what AI have been sold as. They have been sold on the premise that AIs are more intelligent than that.
Re: This is one of the problems with "AI" (Score:2)
Unfortunately I suspect the AI may be more intelligent than a lot of its proponents. I don't believe it to be intelligent at all. They're using a shotgun approach to find bugs. I haven't actually seen a AI bug report yet so for all I know it's a static scanner finding the bug and the entire "AI" side is adding some flowery wording to make it sound scary.
Re: (Score:2)
No, the AI is capable of producing good results, but as it doesn't know anything, it doesn't know when it has done that. The problem is when the person who initiated the AI pushes the human review labor off onto some other person. If you're going to use an AI, you should have to review its output before some other human has to experience it.
captcha (Score:2)
can't they use captchas to prevent the AI bug reports or can AI solve those too now?
Re: captcha (Score:2)
Based on outlooks latest set of captcha I'm starting to think I may be a bot. They're impossible to solve.
Re: (Score:1)
GPT-1 could bypass a Captcha faster than a human so no it wouldn't work.
Motive (Score:2)
If the motive of the sloppers is the bounty, this might stem the deluge.
But, I can think of other motives why people would want to impede cURL's security.
Coulda charged to submit a report. (Score:1)
If it's sensible, you'll probably get paid out. People would still do it.
Makes a lot more sense to put up a barrier to entry than to scrap the whole thing.
Re: (Score:2)
That's not a hassle a typical open source project would want to get into. However, a startup could make it a business. Host a bug tracking system and manage a pay to play merchant account where bug submitters can pay by credit card upfront and register a bank account for receiving the bounty. The open source project gets to use the bug tracker for free, and accept or reject. If the bug is accepted, the bounty is paid out of the submission fees, minus operating costs.