转自：CSDN（ID：CSDNnews） 被 AI 生成的大量"垃圾漏洞报告"拖垮，维护者疲于应付、难以评估代码质量，最终不得不叫停一项运行多年的漏洞赏金计划——这是 开源数据传输工具 curl 近期发生的真实故事，也可能是越来越多开源项目正在面对的现实。 上周，curl 创始人兼首席开发者 Daniel Stenberg 向 GitHub 仓库提交了一条直白得几乎有些"冷酷"的 Commit，标题是： 「BUG-BOUNTY.md：我们将于 2026 年 1 月底停止漏洞赏金计划」 在这条提交中，他明确表示，将删除项目中所有与漏洞赏金和 HackerOne 平台相关的内容。这意味着，自 2019 年启动、持续运行 多年的 curl 漏洞奖励计划，正式走向终点。 被"AI 垃圾"压垮的小型维护团队 在随后公开的说明中，Daniel Stenberg 并没有回避这背后的真实原因。 "我们只是一个小型开源项目，活跃维护人员数量有限，"他写道，"我们没有能力去改变这些人及其'垃圾生成工具'的运作方式。 为了 项目能够继续活下去，也为了维护者的心理健康，我们必须做出调整。 " 作为互联网上最常用的网络工具之一，cur ...

「BUG-BOUNTY.md：我们将于 2026 年 1 月底停止漏洞赏金计划」 在这条提交中，他明确表示，将删除项目中所有与漏洞赏金和 HackerOne 平台相关的内容。这意味着，自 2019 年启动、持续运行多年的 curl 漏洞奖励计划，正式走向终点。 被"AI 垃圾"压垮的小型维护团队 被 AI 生成的大量"垃圾漏洞报告"拖垮，维护者疲于应付、难以评估代码质量，最终不得不叫停一项运行多年的漏洞赏金计划——这是开 源数据传输工具 curl 近期发生的真实故事，也可能是越来越多开源项目正在面对的现实。 上周，curl 创始人兼首席开发者 Daniel Stenberg 向 GitHub 仓库提交了一条直白得几乎有些"冷酷"的 Commit，标题是： 在随后公开的说明中，Daniel Stenberg 并没有回避这背后的真实原因。 "我们只是一个小型开源项目，活跃维护人员数量有限，"他写道，"我们没有能力去改变这些人及其'垃圾生成工具'的运作方式。为了项 目能够继续活下去，也为了维护者的心理健康，我们必须做出调整。" 作为互联网上最常用的网络工具之一，curl 项目近年来收到的漏洞报告质量在急剧下滑，很多 ...

Core Points - Apple has announced a significant expansion and redesign of its vulnerability reward program, doubling the maximum payout and introducing new research categories with a more transparent reward structure [2][6] - Since the program's launch in 2020, Apple has awarded $35 million to 800 security researchers, with rewards reaching up to $500,000 for specific vulnerabilities [4][6] - The maximum base reward has increased to $2 million for reporting vulnerabilities that could lead to zero-click remote intrusions [5][6] Summary by Category Vulnerability Reward Program - Apple has expanded its vulnerability reward program, increasing the maximum payout to $2 million and introducing new categories for research [2][6] - The program has awarded $35 million to 800 researchers since its inception in 2020, with specific rewards for various types of vulnerabilities [4][6] Reward Structure - The reward structure includes a range of payouts, from $5,000 to $500,000, depending on the severity and type of vulnerability reported [5] - For less impactful but valid reports, Apple will issue a $1,000 "encouragement award" [8] Leadership and Future Direction - Mark Gurman suggests that John Ternus, Apple's Senior Vice President of Hardware Engineering, is a leading candidate to succeed Tim Cook as CEO due to his technical expertise and increasing visibility [12][15] - Ternus has been entrusted with key decisions regarding product roadmaps and strategies, indicating his growing influence within the company [15]

Group 1 - The article discusses the shift in the online money-making community from "labor-intensive" methods to "technology-leveraged" approaches, particularly in the context of AI-generated content [1] - Content platforms are increasingly implementing "AI account creation" governance actions to combat the gray market of AI-generated accounts, making it harder to exploit content [1] - The rise of AI has led to a surge in fraudulent vulnerability reports in security bounty programs, causing significant disruptions for projects like curl and Python [3][4] Group 2 - The concept of "bug bounty programs" has emerged as a solution for software developers to identify vulnerabilities, with major tech companies offering substantial rewards for discovered bugs [4][6] - The article highlights that companies like Zerodium have paid up to $2.5 million for a single Android vulnerability, while Google has distributed over $10 million in bounty rewards in 2023 [6] - The role of "bug bounty hunters" has evolved, requiring advanced skills in network penetration and code auditing, but the advent of generative AI has made it easier for even non-experts to create vulnerability reports [7][9] Group 3 - Generative AI can produce highly convincing vulnerability reports, complicating the verification process for bounty program reviewers and wasting their time and resources [12] - The article suggests that halting bounty rewards could effectively reduce the influx of AI-generated false reports, as genuine contributors would still submit vulnerabilities without financial incentives [12]