| ▲ | kccqzy 4 hours ago | |
Reverse what? Let’s take curl as an example. Daniel Stenberg wrote about how he had to stop curl’s bug bounty program due to prevalent AI slop[0]. He also wrote about how he eventually restarted security bug reports without a bounty[1]. It turns out that without a bounty, the reports are higher quality. It almost seems like by removing the monetary incentive, it attracts people who are reporting bugs due to genuine altruism and concern for security, rather than hope for a quick buck. It feels like it harkens back to an earlier age of free software development on the Internet untainted by commercial interests. So my opinion is that security bug reports should continue, but bug bounties should not. Turso should probably still encourage corruption bug reports but with no bounty. [0]: https://daniel.haxx.se/blog/2026/01/26/the-end-of-the-curl-b... [1]: https://daniel.haxx.se/blog/2026/04/22/high-quality-chaos/ | ||
| ▲ | singpolyma3 19 minutes ago | parent [-] | |
curl's posts never imply that the money is the main factor. But it may indeed be a factor that's been missed. | ||