LessWrong March 8, 2026 at 10:39 PM

ai-found-12-of-12-openssl-zero-days-wh...

1 correction found

Claim

paid out over $90,000 for 81 genuine vulnerabilities

Correction

These were older mid-2025 figures. When curl actually ended the program on January 26, 2026, Daniel Stenberg said it had produced 87 confirmed vulnerabilities and paid over $100,000 in rewards.

Full reasoning

This sentence uses outdated bug-bounty totals.

In Daniel Stenberg's July 14, 2025 post, he wrote that curl had found "81" genuine vulnerabilities through the program and paid "over 90,000 USD". But in his later January 26, 2026 post announcing the end of the bug bounty, he updated those totals to 87 confirmed vulnerabilities and over 100,000 USD paid.

So the article's numbers are not the program's end-of-life totals; they are superseded by curl's own later accounting.

2 sources

The end of the curl bug-bounty | daniel.haxx.se
We have certainly made curl better as a direct result of this: 87 confirmed vulnerabilities and over 100,000 USD paid as rewards to researchers.
Death by a thousand slops | daniel.haxx.se
81 of them to be exact, with over 90,000 USD paid in awards.

Model: OPENAI_GPT_5 Prompt: v1.16.0