May 15, 2026
Bug bounty meets bot bounty
The Wonders of AI: We Are Retiring Our Bug Bounty Program
AI spam swarmed the cash reward so hard the humans gave up
TLDR: Turso ended its cash-for-bugs program after being swamped by AI-generated junk submissions instead of real reports. Commenters turned it into a broader warning: spammy machine-made content is making community-run software harder to protect, and many think the big platforms should step in.
Turso, the database startup trying to build something as trustworthy as the software world’s gold standard, has pulled the plug on its $1,000 bug bounty after getting buried under what it bluntly calls AI slop. The idea had sounded noble: if anyone found a flaw that could damage users’ data, they’d get paid. Instead, maintainers say their days turned into a grim game of closing mountains of junk reports and low-quality pull requests from people chasing easy money.
And the comment section? Absolutely feral. The loudest reaction was basically: AI skeptics told you so. One commenter mocked the whole mess as “exactly what AI skeptics said would happen,” with cheap machine-made spam making life miserable for people actually trying to build things. Another zoomed out and argued this proves the real bottleneck in software isn’t typing code at all, it’s the painful human work of reading, reviewing, and understanding it. Ouch.
There was also some practical arguing over how to stop the flood. One person suggested a “three strikes” system for spam submitters, only to quickly admit the obvious catch: figuring out who’s real and who’s just cycling through fresh accounts is its own nightmare. And yes, the jokes landed too: one commenter wondered what modern Hacktoberfest would look like with rewards still flowing, quipping there’s probably “not enough cotton in the world” for all the free T-shirts. The mood is a mix of anger, exhaustion, and dark laughter — with many saying this isn’t just Turso’s problem, it’s a warning for the whole open-source world.
Key Points
- •Turso is ending its $1,000 bug bounty program for bugs that can be shown to cause data corruption.
- •The company says the program became difficult to operate because maintainers were overwhelmed by low-quality AI-generated pull requests.
- •Turso says it wants to remain open to contributions, but the financial reward made the repository a target for abusive submissions.
- •The bounty was originally created to support confidence in Turso's rewrite of SQLite and to uncover gaps in automated testing.
- •Turso says its testing stack includes a Deterministic Simulator, fuzzers, differential testing against SQLite, a concurrency simulator, and extensive Antithesis runs.