“AI Slop” Won’t Stop Lying

The cURL project — one of the internet’s quiet workhorses — has ended its bug bounty after being swamped with low-quality, often AI-generated “security reports” that waste maintainer time and drain morale. In true WTFNow fashion, we look at the bigger irony: AI wasn’t used to reduce workload… it created a fresh tsunami of noise, turning incentives into a spam engine. Here’s what happened, why it matters, and why “verification” is becoming the most expensive human skill online.

WTFNow: The Internet’s Oldest Workhorse Just Rage-Quit Its Bug Bounty Because “AI Slop” Won’t Stop Lying

There are days when the future arrives like a sleek rocket ship.

And there are days when the future arrives like a toddler with a label-maker, printing “CRITICAL VULNERABILITY” stickers and slapping them on your toaster.

Today’s story is the second one.

The cURL project — one of those invisible, unsexy bits of the internet that quietly powers everything from developer tooling to servers to apps you use every day — has ended its bug bounty program. Not because security is solved. Not because they ran out of money. Not because “we’re moving in a new strategic direction.”

But because they were getting flooded with garbage reports, many of them clearly AI-generated, and it was melting the brains of the humans who had to read them.

Let’s pause and appreciate how modern this is:

We invented AI to reduce human workload, and it immediately started generating new work at industrial scale.

That’s not innovation. That’s weaponised admin.

What actually happened (in plain English)

Daniel Stenberg (the creator/lead maintainer of cURL) wrote up why they’re ending the bounty: the program became a magnet for what he basically describes as “AI slop” — reports that look technical, sound scary, and sometimes even include code… but fall apart the moment you try to verify them.

Some were obviously nonsense. Others were the more dangerous kind: plausible nonsense — the sort of thing that wastes a full afternoon because you can’t dismiss it instantly.

And here’s the punchline: the bounty’s money was acting like a beacon. A glowing “FREE CASH HERE” sign for anyone willing to shovel reports into the system and hope one sticks. So the project basically said:

“Cool. We’re turning the cash tap off. Submit real bugs because you care, not because you’re farming payouts.”

That’s the new internet: paywalls to stop spam, bounties to stop “help.”

The real WTF: AI didn’t break cURL. It broke incentives.

This is the part that makes the story proper WTFNow material.

Because the weirdness isn’t “AI wrote a bad report.”

The weirdness is this:

We built a machine that can generate unlimited confidence.

Not unlimited truth. Not unlimited accuracy.

Unlimited confidence.

So now the world is full of text that sounds like expertise, produced by systems that don’t actually understand what they’re claiming. That’s fine when it’s someone posting “Top 10 microwave cleaning hacks.”

It’s less fine when it’s someone filing security reports against infrastructure software.

Because bug bounties are supposed to work like this:

A researcher finds a genuine vulnerability
They report it responsibly
The maintainers fix it
The researcher gets paid
Everyone wins

AI slop turns it into:

Someone prompts an AI: “Find a vulnerability in this codebase”
AI hallucinates an explanation with enough jargon to sound convincing
Human maintainers spend hours disproving it
Nobody gets safer
Everyone loses (except the slop-merchant’s dopamine levels)

That’s not “bug hunting.”

That’s security cosplay.

“But don’t bounties improve security?”

Yes. They can. That’s why this is so bleak.

Bounties are meant to reward the time and skill of people who can spot subtle flaws. When the pipeline is healthy, you’re basically paying for high-value signal.

But when the pipeline is clogged with AI sludge, the bounty stops being “security funding” and becomes an incentive to generate noise.

At that point the program isn’t improving security — it’s consuming it.

And cURL isn’t some random side project. It’s a foundational utility that gets embedded everywhere. So the maintainers burning out isn’t a quirky dev drama — it’s the internet quietly eating its own foundations.

This is the bit no one wants to admit:

Open source isn’t running on money. It’s running on human patience.

And “AI slop” is basically a patience-harvesting machine.

The most 2026 sentence ever written: “We can’t afford the mental toll of reading nonsense.”

One of the most important parts of the discussion (and the most relatable to anyone who’s ever moderated anything online) is that the cost isn’t just time.

It’s emotional.

It’s the feeling of opening your inbox and thinking:

“Is this going to be a real thing… or am I about to spend my evening proving that reality still exists?”

That kind of friction stacks up. And when the people doing the work are volunteers or under-resourced maintainers, you’re basically turning their life into an endless loop of:

Open report → verify → debunk → repeat.

So, yeah. They pulled the plug.

The twist: AI didn’t make security harder — it made trust harder

This is the angle that makes the whole story feel like a bigger omen.

Because the underlying problem isn’t just “bad reports.”

It’s that we’re entering an era where:

Anyone can generate plausible technical text
Volume can be weaponised
Verification stays stubbornly human
The cost of checking rises
The cost of lying collapses

So the new scarce resource isn’t “information.”

It’s attention that can verify information.

And the internet has never been good at protecting scarce resources. The internet sees scarcity and goes:

“Nice. Let’s set it on fire for engagement.”

The “WTFNow” conclusion: The robots aren’t taking jobs. They’re taking inbox capacity.

For years, the sci-fi fear was:

“AI will replace humans.”

But the reality is more ridiculous:

“AI will create infinite paperwork and humans will be trapped triaging it.”

We didn’t automate labour.

We automated bullshit.

And the most cursed part is that the slop looks like help. It arrives wearing the uniform of contribution. It speaks in the language of responsibility. It uses the right words — “vulnerability,” “exploit,” “proof of concept” — while delivering the intellectual equivalent of a wet napkin.

So now we’re at the stage where an iconic open source project has had to say:

“No more cash prizes, because the internet can’t behave.”

That’s not a tech story.

That’s a civilisation story.

Bonus: how this ends (pick your dystopia)

Here are the three likely futures:

Bounties become gated
Pay to submit. Deposit refunded if valid. Basically “anti-spam” but for security research.
Bounties become invite-only
Verified researchers only. Which is safer, but also risks shutting out newcomers who are legit.
Everything becomes slower and more private
Less public intake. More backchannel reporting. More friction. More gatekeeping. Less openness.

None of these feel like “progress.”

They feel like installing stronger locks because your neighbour invented a machine that throws fake keys at your door 24/7.

So yeah — cURL didn’t get hacked. The bounty system got “helped” to death.
Not by elite cybercriminals… but by an endless conveyor belt of AI-generated “maybe-bugs” written with the confidence of a man explaining your own job to you.

And that’s the real WTF: we didn’t automate security… we automated noise, and then acted shocked when the people holding the internet together finally said:

“Nope. Not reading one more fantasy vulnerability written by a chatbot in a trench coat.”

If the future is “AI everywhere,” then we’d better learn a new skill fast:

How to tell the difference between signal and an algorithm doing improv.

Follow WTFNow for more WTF moments.
Got a story that made you say “how is this real?” — drop it to us and we’ll do what the internet won’t: take it seriously… while taking the piss.