Sloth Bytes
Posts
🦥curl killed its bug bounty program

🦥curl killed its bug bounty program

The Coding Sloth
January 30, 2026 • Estimated Reading Time: 11 minutes

Hello friends!

Welcome to this week’s Sloth News. I hope you had an amazing week!

But if you want to reach 50,000+ developers, founders, and tech lovers who actually open their emails — this is the place.

Learn more about sponsoring

curl kills its bug bounty program after drowning in AI slop

After 7 years and $100k in payouts, curl is shutting down its bug bounty on January 31st. Why? Because a combination of human greed and AI slop has completely overwhelmed the program.

Confirmation rates crashed from 15% to under 5%, meaning fewer than 1 in 20 reports are even real. The curl team is mentally exhausted from debunking fake AI-generated vulnerability reports and is moving to GitHub's free reporting system until they can think of an alternative method.

Why it matters: This is a terrible sign for bug bounty systems. If one of the internet's most critical projects can't make bounties work anymore, what does that mean for everyone else? Companies and open source projects might stop offering cash rewards entirely, killing a major incentive that's kept security researchers hunting for vulnerabilities for years

Gemini 3 Flash can now write code to zoom in and inspect images like a human would

Google just launched "Agentic Vision" in Gemini 3 Flash, which lets the AI actively manipulate images using Python code rather than just looking at them once and guessing. It uses a Think-Act-Observe loop where it analyzes your question, writes code to crop/zoom/annotate the image, then looks at the modified version before answering. This gives a consistent 5-10% accuracy boost across vision benchmarks.

Why it matters: This solves one of the biggest problems with AI vision models. Many AI models miss fine-grained details because they only get a single static view of an image. Now, Gemini can get more details like humans would by zooming into a building drawing on the image, or execute actual Python code to do visual math instead of hallucinating numbers.

Ruby on Rails creator says AI code is worse than what junior devs write

David Heinemeier Hansson (DHH - the guy who built Ruby on Rails) says AI coding tools are like a "flickering light bulb." Sometimes brilliant, but mostly unreliable. He uses AI daily and finds that while it can spit out working code, the quality is usually worse than what a junior programmer would write.

At his company, humans still wrote 95% of the code for their latest product because AI just isn't consistent enough for real production work.

Why it matters: People hype up AI A LOT, so it’s nice to see a developer who actually ships code every day say it’s not that insane (yet). The real problem isn't whether AI can write code (it can), but whether that code is maintainable, understandable, and won't create a debugging nightmare six months later. Junior developers might write imperfect code, but they’ll at least understand how the system works.

AI coding tools hurt learning unless you use them right

This isn’t too big of a surprise, but Anthropic tested 52 (mostly junior) software engineers learning a new Python library with and without AI help.

Those using AI scored 17% lower on a quiz (nearly two letter grades) about concepts they'd just used.

However, not everyone scored poorly. Developers who used AI to ask follow-up questions and build understanding while coding performed just as well as those who coded by hand.

Why it matters: If you're learning to code or picking up new skills, using AI to finish tasks fast can prevent you from actually learning. This means you'll struggle when things break, and you need to debug. The fix is simple: don't just ask AI to write code, ask it to explain concepts while you work. That's how you actually build the skills to catch errors and provide oversight.

As AI makes coding easy, SRE skills become essential

Swizec Teller (SWE with over 20 years of experience) argues that as AI makes code generation cheap, running reliable services becomes the real skill.

He uses spreadsheets and no-code tools as proof. They promised "coding is dead" and worked great at first, but turned into maintenance nightmares with constant edge cases, no ability to take a vacation, and users filled with dread every time they run them.

Why it matters: If you think AI will replace you because it can write code, you're measuring the wrong thing. Building is the “easy part.” The hard part is keeping it running, handling edge cases, and recovering from failures.

Can you debug code you didn't write? Do you know how to keep systems running when things break at 3 AM? Can you guarantee uptime when a vendor fails? These operational skills are what will make you irreplaceable. When AI writes everyone's code, the engineers who understand how to run production services will be the ones companies fight over.

JavaScript frameworks are evolving for an AI-dominated world

— (@)

Ryan Carniato (creator of SolidJS) reviews how JavaScript frameworks are adapting to AI. He identifies three big changes:

AI-first design - Frameworks like Remix 3 are simplifying their syntax so AI can write more generic code.
Isomorphic-first architecture (what he calls it) - Frameworks are combining server and client code more smoothly.
Async-first patterns - Handling async operations is becoming a core feature instead of something tacked on.

Why it matters: AI struggles with complex, framework-specific code, so frameworks are simplifying. This means you should learn core patterns (state, data flow, async) instead of memorizing the API.