Turso Retires Bug Bounty Program Over AI-Generated Spam Flood

Summary

Turso, a company rebuilding SQLite for modern distributed systems, has discontinued its bug bounty program that offered $1,000 rewards for bugs leading to data corruption. Launched nearly a year ago to validate its rigorous testing methodology, the program became inundated with AI-generated spam submissions falsely claiming to have discovered critical bugs. Maintainers spent days closing fraudulent pull requests, making it untenable to continue accepting open contributions. The company is sharing this decision publicly to contribute to the broader conversation about establishing governance in an era of abundant generative AI.

Turso created the program recognizing that even the most sophisticated automated testing—including deterministic simulators, fuzzers, oracle-based differential testing, and concurrency simulators—cannot catch all edge cases. Over its year-long run, only five legitimate submissions were awarded, including work from core contributors who identified gaps in the project's testing infrastructure. However, the financial incentive proved too attractive to AI spam generators, fundamentally undermining the program's utility. The company remains committed to open-source principles and plans to find alternative approaches to crowdsource edge-case discovery while protecting contributor quality.

• This trend may force a rethinking of how projects incentivize and validate external contributions in the age of generative AI