Node.js gates HackerOne reports to block AI slop

AI-generated bug report spam is quietly breaking open-source security pipelines — and Node.js's Signal gate is the pragmatic middle ground between doing nothing and cURL's nuclear option of quitting HackerOne entirely.

• –HackerOne Signal (scale -10 to +7) is a rolling 365-day average of report quality; requiring 1.0 is a low bar that only filters researchers with zero valid history — a fair proxy for AI-assisted spam accounts
• –cURL's maintainer Daniel Stenberg coined "AI slop bug reports" and pulled the project from HackerOne entirely after 3 decades and $100K+ in bounties; Node.js chose a softer gate instead
• –The escape hatch matters: low-signal researchers can still report via OpenJS Slack, preserving legitimate new researcher access while adding friction for automated fire-and-forget submissions
• –As AI tooling makes plausible-sounding vuln reports trivially easy to generate at scale, expect every major open-source bug bounty program to implement some form of reputation gating in 2026