Furthermore, it demonstrates how cheap automation can strain volunteer maintenance capacity. Generative AI has enabled bounty hunters to spray plausible but false vulnerability reports at scale. Stenberg calls this barrage “AI Slop” and compares the load to a virtual DDoS. Meanwhile, an actual DDoS hit his personal server last year. This article unpacks the timeline, metrics, and industry implications, then explores how Open Source Sustainability may adapt.

Bug Bounty Program Backlash

Stenberg launched the HackerOne program in 2019, paying over $90,000 across 81 valid findings. Initially, rewards attracted skilled researchers and strengthened cURL security. However, 2025 saw report volume spike nearly eightfold. Approximately 20% of submissions carried hallmarks of AI Slop, yet only 5% proved genuine. Consequently, triage consumed scarce maintenance hours, often lasting three exhausting hours per false lead.

• Historical payouts: $90,000 distributed since 2019.
• Early 2026: seven junk reports arrived within 16 hours.
• Team size: seven security volunteers.
• False positive rate: roughly 95% during 2025.
• Long term Open Source Sustainability demands accurate signal filtering.

These numbers reveal a broken incentive loop. Nevertheless, monetary rewards now amplify noise more than insight. The flood of AI content underscores the next challenge.

AI Slop Flood Arrives

Generative models can draft complete vulnerability narratives in seconds. Moreover, bounty hunters can iterate prompts until reports appear convincing. Stenberg responded by adding an explicit “Did you use AI?” checkbox on HackerOne. Nevertheless, disclosures kept growing, and he threatened lifetime bans for blatant Slop. He described the experience as being “effectively DDoSed” without hostile packets. While traffic stayed on the platform, cognitive load hammered the tiny maintenance crew.

Human Cost Rapidly Escalates

Each invalid report still demands reproduction attempts, discussion, and polite closure. Consequently, a single week of junk reports can devour 20 volunteer hours. Morale erosion followed, with maintainers admitting the process “grinds down our will to live.” Meanwhile, genuine researchers waited longer for feedback, risking missed security windows. Burnout directly undermines Open Source Sustainability for critical libraries.

AI acceleration changed submission economics overnight. Therefore, human review became the scarce, expensive resource. That reality drove cURL to rethink its entire disclosure model.

cURL Security Model Shifts

On 31 January 2026, the cURL project officially closed its HackerOne program. From 1 February, reporters must use GitHub issues with zero financial reward. Moreover, Stenberg hopes the absence of pay will deter casual Slop. He likens the switch to rate limiting during a traditional DDoS defense. Triage will still happen, yet the team regains scheduling control and reduces alert fatigue. The new model experiments with policies that could bolster Open Source Sustainability through reduced noise.

DDoS Pressure Evidence Emerges

April 2025 delivered a genuine DDoS against Stenberg’s origin server, null-routing traffic for an hour. Fastly’s edge mitigated the blast, but the episode provided a visceral metaphor. Consequently, Stenberg now frames resource overload, whether network or cognitive, as a shared threat. Improved tooling and disciplined maintenance practices remain essential safeguards. Resilience planning is a cornerstone of Open Source Sustainability during active attacks.

Policy shifts aim to restore manageable workflow. In contrast, technical improvements must accompany cultural change. Industry observers are considering broader implications and prospective responses.

Wider Ecosystem Impact Analysis

Open source libraries underpin thousands of commercial applications. Therefore, disruptions at cURL signal systemic exposure across the supply chain. Other small teams report similar noise surges on Bugcrowd and GitHub. Moreover, platform operators are developing provenance checks and automated triage scoring. Policy makers debate whether financial bounties remain viable for fragile projects.

Future Resilience Tactics Proposed

Analysts suggest layered defenses that blend policy, automation, and community norms. For example, mandatory proof-of-concept exploits could filter low-effort submissions. Additionally, projects may pool funds for shared triage infrastructure. Professionals can enhance their expertise with the AI-Educator™ certification to design ethical AI processes. Such training aligns directly with Open Source Sustainability goals.

Stakeholders agree that sustainability depends on balanced incentives and smarter automation. Consequently, combined initiatives will decide the ecosystem’s future trajectory. These considerations set the stage for decisive action.

Open Source Sustainability now stands at a crossroads. Nevertheless, data-driven policies and targeted education offer a realistic path forward. Projects must balance openness with safeguards that discourage low-value noise. Furthermore, platform providers should integrate provenance scanning and feedback loops to protect maintainers. Readers invested in Open Source Sustainability should explore community discussions, contribute review bandwidth, and pursue specialised learning. Consequently, your next step could be enrolling in an advanced certification or mentoring new contributors. Take action today and help ensure resilient, sustainable open source infrastructure.