curl Shuts Bug Bounty as AI CVE Submissions Surge
Key insights
- curl's six-year, $90K bug bounty program was shut down in 2026 because AI-generated CVE submissions overwhelmed maintainer triage capacity.
- Anthropic's Mythos security tool reviewed curl's source via Linux Foundation Alpha Omega and confirmed only one of five flagged vulnerabilities as real.
- The shutdown is a named, first-person account of AI-generated CVE spam materially harming an established open-source project's security program.
Why this matters
AI-generated CVE submissions have crossed a threshold where they can shut down a mature bug bounty program at a project with the scale and longevity of curl, revealing that volunteer triage capacity is a point of failure AI can exploit by volume. Frontier AI security tools like Anthropic Mythos produce a 20% signal rate in real-world audits, meaning practitioners adopting AI for vulnerability detection need to budget for four false positives per confirmed finding. Open-source maintainers, already under-resourced, now face two compounding AI pressures: inbound noise from AI-generated reports and the organizational cost of evaluating which AI-assisted auditing tools are worth trusting.
Summary
Daniel Stenberg shut down curl's six-year bug bounty program this year after AI-generated CVE submissions overwhelmed triage. Fake AI-generated reports consumed enough maintainer time to make the program untenable.
Anthropic's Mythos, run via Linux Foundation Alpha Omega, reviewed curl's source and flagged five potential vulnerabilities. One was real.
Essentially: (Daniel Stenberg, Anthropic Mythos) are the first named actors with concrete data on AI's impact on OSS security economics.
- curl's $90K, six-year bug bounty ended because AI CVE spam made triage untenable
- Anthropic Mythos flagged five curl vulnerabilities; one confirmed real
- Stenberg's post is first-person, primary-source testimony
A 20% confirmed rate from frontier AI security tooling is now public record.
Potential risks and opportunities
Risks
- Open-source projects with smaller maintainer teams than curl could face silent triage collapse from AI CVE spam within 6-12 months, with no public shutdown to signal the breakdown
- An 80% false-positive rate from Anthropic Mythos creates risk if organizations adopt AI security auditing without mandatory human review layers, leading to missed vulnerabilities in critical infrastructure
- Bug bounty platforms (HackerOne, Bugcrowd) face accelerating program attrition if AI-generated submissions continue scaling, undermining their core value proposition to enterprise security teams
Opportunities
- Automated CVE triage tools that filter AI-generated submissions before human review represent an underserved gap that security companies (Semgrep, Socket, Endor Labs) could build into existing platforms
- Linux Foundation Alpha Omega's Mythos deployment creates a replicable template for funded AI security audits of critical OSS infrastructure, opening budget conversations for vendors with open-source credibility
- Bug bounty platforms (HackerOne, Bugcrowd) could convert this threat into a paid feature by building AI-submission detection into their intake pipelines, differentiating on program quality guarantees
What we don't know yet
- The specific nature of the one confirmed curl vulnerability found by Anthropic Mythos, including its severity, CVE number, and patch status, is not disclosed in Stenberg's post
- Whether other critical open-source projects (OpenSSL, Linux kernel, FFmpeg) have seen comparable AI CVE submission surges or are absorbing them through different mechanisms
- Whether Linux Foundation Alpha Omega plans to scale Mythos-style AI audits across its portfolio and whether it will publish signal-to-noise ratios from those engagements
Originally reported by daniel.haxx.se
Read the original article →Original headline: curl Maintainer Daniel Stenberg Publishes 'The Pressure' — AI CVE Slop Forces Bug Bounty Shutdown, Anthropic Mythos Confirms One Real Vulnerability via Linux Foundation Alpha Omega