Turso is retiring its security bug bounty program at the end of the current month [1].
The decision highlights a growing challenge for open-source maintainers as generative AI tools lower the barrier for submitting vulnerability reports. While these tools can assist legitimate researchers, they also enable a surge of low-quality submissions that drain developer resources.
Turso, an open-source database project, said that the majority of reports labeled as "CRITICAL" were actually low-quality noise [1]. The project described these submissions as "AI slop," referring to automated reports that appear significant but lack substantive security flaws [1].
This trend is not isolated to Turso. Other major open-source initiatives have faced similar pressures. The curl project also moved to discontinue its bug bounty program due to an avalanche of AI-generated submissions [2], [3]. Reports on the curl program's end date vary, with some sources citing the end of January [2] and others indicating February 2026 [3].
Bug bounty programs are designed to incentivize ethical hackers to find and report security holes before malicious actors can exploit them. However, the rise of large language models has allowed users to scan code and generate plausible-looking vulnerability reports without truly understanding the underlying logic. This creates a high volume of "false positives" that require manual verification by human engineers.
By ending the program, Turso aims to reduce the administrative burden of filtering through automated noise. The project will no longer offer financial incentives for these reports at the end of the month [1].
“The majority of reports labeled as "CRITICAL" were actually low-quality noise.”
The retirement of these programs signals a shift in the open-source security model. As AI makes it trivial to generate 'noise' reports, the traditional bug bounty—which relies on a manageable stream of high-quality human insights—becomes unsustainable for smaller teams. Developers may move toward more curated, invite-only security audits to prevent AI-driven denial-of-service attacks on their maintenance workflows.
'%2F%3E%0A%20%20%20%20%3Crect%20width%3D'1600'%20height%3D'900'%20fill%3D'url(%23v)'%2F%3E%0A%20%20%20%20%3Cg%20opacity%3D'0.08'%20fill%3D'%23ffffff'%3E%0A%20%20%20%20%20%20%3Ccircle%20cx%3D'1420'%20cy%3D'180'%20r%3D'220'%2F%3E%0A%20%20%20%20%20%20%3Ccircle%20cx%3D'1500'%20cy%3D'760'%20r%3D'120'%2F%3E%0A%20%20%20%20%3C%2Fg%3E%0A%20%20%20%20%3Cline%20x1%3D'80'%20y1%3D'172'%20x2%3D'220'%20y2%3D'172'%20stroke%3D'%23ffffff'%20stroke-width%3D'3'%20stroke-opacity%3D'0.6'%2F%3E%0A%20%20%20%20%3Ctext%20x%3D'80'%20y%3D'140'%20font-family%3D'Inter%2C%20-apple-system%2C%20Helvetica%2C%20sans-serif'%20font-weight%3D'700'%20font-size%3D'28'%20fill%3D'%23ffffff'%20letter-spacing%3D'6'%3EHANNA%20%C2%B7%20NEWS%3C%2Ftext%3E%0A%20%20%20%20%3Ctext%20x%3D'80'%20y%3D'230'%20font-family%3D'Inter%2C%20-apple-system%2C%20Helvetica%2C%20sans-serif'%20font-weight%3D'600'%20font-size%3D'40'%20fill%3D'%23ffffffb3'%20letter-spacing%3D'4'%3ETECH%3C%2Ftext%3E%0A%20%20%20%20%3Ctext%20x%3D'80'%20y%3D'694'%20font-family%3D'Playfair%20Display%2C%20Georgia%2C%20serif'%20font-weight%3D'800'%20font-size%3D'110'%20fill%3D'%23ffffff'%20letter-spacing%3D'-1'%3ERazer%20Releases%202026%20Blade%2016%3C%2Ftext%3E%3Ctext%20x%3D'80'%20y%3D'820'%20font-family%3D'Playfair%20Display%2C%20Georgia%2C%20serif'%20font-weight%3D'800'%20font-size%3D'110'%20fill%3D'%23ffffff'%20letter-spacing%3D'-1'%3EWith%20New%20Intel%20Chip%3C%2Ftext%3E%0A%20%20%20%20%3Ctext%20x%3D'80'%20y%3D'870'%20font-family%3D'Inter%2C%20-apple-system%2C%20Helvetica%2C%20sans-serif'%20font-weight%3D'500'%20font-size%3D'22'%20fill%3D'%23ffffff66'%20letter-spacing%3D'2'%3Enews.hanna-ai.com%3C%2Ftext%3E%0A%20%20%3C%2Fsvg%3E)
