The number of reports coming into the bug bounty program has increased by a factor of 10 year-on-year. The reason is obvious - the rise of AI code analysis tools. A blog post by the founder of cURL, Daniel Stenberg, eloquently documents the issues caused by such an influx of reports and we won’t repeat them here.
In our case, the value of the valid reports still outweighs the burden of the invalid, therefore we are not closing the bounty program at this time. Participants in the program should be aware however that we are experiencing significant delays in processing reports.
We are currently facing a backlog of 7-10 days.
Please remain patient and rest assured that we will respond to your report as soon as we can.
