Hacker One extends safe harbor protections to AI research, cURL scraps bug bounties
AI is impacting bug bounties at both ends of the pipeline as Hacker One launches a legal safe-harbor framework for researchers, while open-source project cURL says it is scraping bounty payouts to curb a surge of low-quality AI-generated reports.
On Tuesday, Hacker One announced the Good Faith Research Safe Harbor, a new framework designed to give security researchers clearer authorization and legal protections when testing AI systems.
The ethical hacker and bug bounty platform said that the move was an attempt to address the growing problem of researchers being able to test AI tools and systems without breaking the rules as to what counts as permitted, in what it claims is fast becoming “a legal grey area, even when researchers are acting responsibly.”
It argues that, as AI systems scale across core products and services, vulnerability testing doesn’t always fit into traditional disclosure models – AI models aren’t always a patchable bug or a single line of code.
They can emerge as behaviors – from jailbreaks and prompt injection to unwanted data exposure – often discovered through techniques that can look suspiciously like misuse, even when the intent is defensive.
HackerOne claims that by extending its Gold Standard Safe Harbor, launched in 2022, into AI-powered systems, the company says it is defining a shared standard for organizations and researchers.
“AI testing breaks down when expectations are unclear,” said Ilona Cohen, chief legal and policy officer at HackerOne.
“Organizations want their AI systems tested, but researchers need confidence that doing the right thing won’t put them at risk. The Good Faith AI Research Safe Harbor provides clear, standardised authorization for AI research, removing uncertainty on both sides.”
CEO Kara Sprague framed it as a trust issue: without real-world testing, confidence in AI systems is likely to erode quickly.
“By extending safe harbor protections to AI research, HackerOne is defining how responsible testing should work in the AI era. This is how organisations find problems earlier, work productively with researchers, and deploy AI with confidence.”
Why cURL is stopping bounty payouts
Separately, Swedish electronics title Elektroniktidningen reports that cURL – a widely used open-source networking library – is to terminate bounty payouts at the end of January.
The reason given is that open-source maintainers say the project has been flooded with AI-generated bug reports, most of which are “pure nonsense,” creating heavy triage work and pulling focus away from real security issues.
Maintainer Daniel Stenberg said the project needs to “break the flood” to avoid drowning. The hope is that removing financial rewards will reduce incentives for low-hanging fruit submissions.
Notably, the move has support from well-known bug hunter Joshua Rogers, who has used AI tools in his own workflow – but argues that bounty money isn’t the real motivator for serious researchers anyway.
“The real incentive for finding a vulnerability in cURL is the fame ('brand is priceless'), not the hundred or a few thousand dollars. $10,000 (maximum cURL bounty) is not a lot of money in the grand scheme of things, for somebody capable of finding a critical vulnerability in curl.”
Bug hunter Joshua Rogers.
The move suggests that while bug bounties aren’t broken, they will continue to be stress-tested this year.
Unlock more exclusive Cybernews content on YouTube.
