Turso retires bug bounty program

This is another sign that AI is changing not just how code gets written, but how open-source projects defend themselves from noise. The hard part is no longer finding bugs; it is separating real research from synthetic sludge. Turso says its bar was already high because submissions had to extend the simulator and demonstrate the bug, but that still did not stop bot-driven spam. The company is following the same trajectory other projects have taken, including cURL, where incentive schemes became a magnet for low-value AI submissions. This is a governance problem as much as a security one: paid programs now need stronger identity, reputation, and proof-of-work gates. For developers, the lesson is blunt: if you reward vague vulnerability claims, LLMs will flood the queue faster than humans can triage it. The likely near-term outcome is fewer open bounty programs, not fewer vulnerability reports.