Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Curl ends HackerOne bug bounty and shifts security reporting to GitHub

Security Tool/Service
First reported
Last updated
Happening score
H score 10
1 unique sources, 1 articles

Summary

Hide ▲

curl is ending its HackerOne bug bounty program and moving vulnerability reporting to GitHub, cutting off monetary rewards after a surge of low-quality submissions. The change affects curl and libcurl reporters and takes effect across January 31-February 1, 2026. It matters because the project is withdrawing from a long-running disclosure channel to reduce noise and protect maintainer capacity.

Related Happenings

HackerOne Internet Bug Bounty pauses new vulnerability submissions

Security Tool/Service
First: 08.04.2026 22:47 Last: 08.04.2026 22:47 Sources 1

About this happening: **HackerOne** paused new vulnerability submissions to its **Internet Bug Bounty (IBB)** program, a change that alters how a major crowdsourced vulnerability platform operates. The...

Open Happening

Timeline

  1. 22.01.2026 21:01 2 articles · 4mo ago

    curl announces end of HackerOne bug bounty

    Initial Disclosure

    curl founder and lead developer Daniel Stenberg announces that the curl project will end its HackerOne bug bounty program because the security team is being overwhelmed by low-effort, invalid, and apparently AI-generated vulnerability reports; the project will no longer offer monetary rewards for reported bugs or vulnerabilities or help researchers seek compensation from third parties.

    Show sources
    Open in new tab
  2. 22.01.2026 21:01 1 articles · 4mo ago

    curl keeps HackerOne intake open through January 31, 2026

    Campaign Scope Update

    The curl project keeps accepting HackerOne submissions until January 31, 2026, and any reports already in progress on that date continue to be processed while the bounty program winds down.

    Show sources
    Open in new tab
  3. 22.01.2026 21:01 1 articles · 4mo ago

    curl moves new security reports to GitHub on February 1, 2026

    Campaign Scope Update

    Starting February 1, 2026, curl stops accepting new HackerOne submissions and asks researchers to report security issues directly through GitHub, replacing the bounty-based intake path with a direct-report workflow.

    Show sources
    Open in new tab