Curl Project Ends Bug Bounty Program Due to AI-Generated Spam; Critical Vulnerabilities and Cybersecurity Incidents Reported

The Curl project terminated its bug bounty program in January 2026, citing a surge in irrelevant submissions generated by AI since 2024, which were labeled as "slop." Since 2019, 87 confirmed vulnerabilities had been rewarded with a total of $100,000. Reports remain possible via GitHub, but submissions deemed AI-generated will result in bans and "public ridicule." Three vulnerabilities (CVE-2025-68143, CVE-2025-68145, CVE-2025-68144) were discovered in Anthropic's MCP server, enabling remote code execution through prompt injection attacks and misconfigured Git filters. Cloudflare disclosed a BGP leak on January 22, 2026, at 20:25 UTC, affecting its Miami infrastructure for 25 minutes due to an error in an automated routing policy. Malicious actors are targeting identity providers like Okta, Microsoft, and Google with dynamic phishing tools, potentially AI-assisted. The group World Leaks published internal Nike data.