Turso Retires Bug Bounty Program Due to AI-Generated Slop

Turso, a company rewriting SQLite, is retiring its $1,000 bug bounty program for data corruption bugs after being inundated with low-quality, AI-generated submissions. The program, launched nearly a year ago, aimed to find bugs that escaped their extensive testing infrastructure, including a deterministic simulator, fuzzers, and differential testing. Only five individuals were paid, including Alperen (a core simulator contributor), Mikael (who used LLMs creatively and was later hired), and Pavan Nambi (who found over ten bugs in SQLite itself). However, the bounty became a target for "slop machines"—AI tools that produce plausible but nonsensical bug reports. Examples include injecting garbage bytes into database headers, modifying source code to add out-of-bound array accesses, and claiming that executing SQL statements in a SQL database is a vulnerability. Turso implemented a vouching system to auto-close bot submissions, but bots began requesting manual inspections, costing hours to review. The company chose to remove the financial incentive rather than close the open contribution system. Turso plans to continue strengthening its open-source community without monetary rewards.