Turso is shutting down its $1,000 data-corruption bug bounty after AI-generated slop PRs overwhelmed maintainers, costing hours per submission while taking minutes to produce.
Key Takeaways
Turso ran the bounty for ~1 year, paid 5 legitimate contributors, and required simulator extensions (not just bug reports) to keep the bar high.
Notable winners used creative LLM-assisted fuzzing, formal methods, and found 10+ bugs in SQLite itself – the program worked before the slop wave.
Fake submissions included injecting garbage bytes into DB headers, claiming SQL execution is a vulnerability, and misusing concurrent write features by design.
A vouching/auto-close system briefly worked, but bots adapted: reopening PRs, filing complaints requesting manual review, and cycling fresh identities.
Turso concluded that open systems with financial incentives are incompatible with AI spam at scale; the choice was close contributions or remove the reward.
Hacker News Comment Review
Commenters noted the core asymmetry: slop costs ~1 minute to generate, costs maintainers hours to triage – a ratio that makes any dollar-denominated open bounty undefendable.
A strike/suspension system was proposed, but quickly dismissed: new GitHub identities are trivially cheap (Sybil attack), so account-level penalties don’t hold.
Broader consensus framed this as a confirmed prediction: financial incentives attached to open repos are now a magnet for automated low-effort abuse at scale.
