What Curl's Bug Bounty Teaches Us About Code Security in the AI Era
Curl’s bug bounty ending shows teams don’t need more signals, they need trustworthy ones. Code security is about validation, prioritization, and governance.
On January 31st, open-source data transfer tool curl ended its long-running bug bounty program. Since 2024, the share of genuine vulnerabilities reportedly fell from around 15% to just 5%, as maintainers saw a surge in low-quality, often AI-generated submissions.
For the curl team, the issue went beyond workload to something harder to quantify: trust. As curl’s founder and lead developer Daniel Stenberg notes, the constant stream of weak bug reports takes a real mental toll and significant time to disprove.
This is a story about what happens when the volume of automated findings grows faster than an organization’s ability to validate them. It’s also a preview of what many enterprise engineering teams beyond open-source tools are already experiencing.
Key takeaways
- AI is scaling findings faster than teams can validate them. Validation (not discovery) is becoming the real bottleneck.
- Volume-based security metrics create false confidence in AI-assisted environments.
- Trust erodes when signals aren’t credible, leading to fatigue and slower decisions.
- The next maturity step in code security is credibility-first governance, built on validation, prioritization, and measurable impact.
Removing Friction Means Removing A Quality Control
Bug bounty programs historically relied on an unspoken filter: hard work. Writing a credible vulnerability report required real effort, and that effort acted as a form of quality control.
This kind of productive friction helped maintain signal quality. Low-effort actors were naturally filtered out because generating a convincing report took time and expertise. AI has removed a lot of that friction from code generation, but it hasn’t reduced the human expertise required to validate a finding.
When generation gets faster but verification still takes effort, the system tilts toward overload. It helps explain why many teams, like curl’s, are now hitting a new constraint: validation capacity.
The New Code Security Bottleneck
What ultimately strained curl’s bug bounty program is the same thing pressuring engineering and security teams everywhere – the rising cost of separating real signal from AI-generated noise.
For years, the challenge in code security was discovery. Finding vulnerabilities was hard, slow, and expensive.
AI has changed that.
Today, generating findings is easier than ever. Automated tools can surface potential issues at unprecedented scale. But the cost of validating those findings hasn’t fallen at the same rate. In many organizations, it’s rising.
Low-quality reports still require human review. False positives interrupt senior engineers. Ambiguous findings demand judgment, often from the people least available to provide it.
The result is a shift in constraint from detection to expert attention, and the risk of drowning in vulnerabilities. While AppSec teams feel this acutely, engineering leaders bear accountability.
This matters because senior engineering attention is an expensive and limited resource. When that time is consumed by triage, it’s not spent on delivery, architecture, or innovation. Every hour validating noise is an hour not building value.
When Volume Stops Meaning Value
Many organizations still rely on volume-based indicators, like number of vulnerabilities found, number of alerts generated, and number of issues logged or closed.
With AI embedded across production workflows, these metrics become easier to inflate and harder to interpret.
- Dashboards look active but it’s not clear where code is really exposed.
- Teams seem productive when in reality they’re overwhelmed.
- Leaders feel informed despite operating on noisy signals.
Measure volume, and AI will optimize for volume (whether it’s useful or not). If your metrics reward activity, AI will manufacture activity. That doesn’t mean risk is going down.
The Trust Problem We’re Not Talking About
As Daniel Stenberg described it, a flood of low-quality bug reports is like “pouring sand into the machine.” It causes friction that slows the entire system: reviewers waste time, and real vulnerabilities are harder to spot.
Over time, the machine still runs, just less smoothly, less reliably, and at higher cost.
This friction erodes trust and leads to alert fatigue. Engineers react more slowly, question the tools, deprioritize alerts, and rely on instinct rather than data.
And once teams stop trusting signals, governance gets much harder. Trust is integral to effective decision making and leadership oversight, but it’s not easy to rebuild.
Why Governance Pressure is Growing
Regulatory pressure is reinforcing this shift. Frameworks like the EU Cyber Resilience Act are increasing expectations around vulnerability handling and documented security processes.
Regulation isn’t the root problem, but it does make the consequences harder to ignore. And even without it, engineering leaders still need defensible answers:
Are our security signals credible?
Can we justify prioritization decisions?
Do we have evidence of real improvement?
Security today is something you need to be able to explain, justify, and prove.
From “More Security” to Credible Security
These changes require a more mature model – credibility-first code security. That means focusing on:
- Validation before escalation: Not every finding deserves equal attention. Confidence, context, and reproducibility matter.
- Prioritization by impact: Severity alone isn’t enough. Remediation effort, reachability, and business relevance must factor in.
- Intelligently shifting left : Earlier detection only helps if it reduces downstream noise.
- Leadership-level visibility: Objective, code-level insight into trends, not just activity reports.
Fundamentally, it’s about doing the right security work, rather than more of it.
A More Mature Way to Use AI
As commentators on curl’s bug bounty decision note, AI isn’t the villain in this story. Problems start to compound when it’s used without a system in place to govern it and measure its output.
Curl’s decision exposes the real cost of unvalidated AI. Leaders already suspected these risks; what’s been missing is a practical, measurable way to govern AI at the code level.
A mature AI strategy is built around measurable impact. That’s the philosophy behind a credibility-first approach to AI in code security: using AI to validate, filter, and prioritize, not just generate output.
What Curl’s Story Means
Seeing Curl’s experience as an isolated open-source anecdote misses the fact that it’s actually a marker of a broader shift. And as AI adoption accelerates, successful organizations will set themselves apart with validation, prioritization, and evidence.
Curl chose signal over volume. Effective enterprise engineering teams are doing the same.
