Turso announced it will retire its $1,000 bug bounty program after nearly a year, citing an overwhelming flood of AI-generated submissions that consume maintainer time without producing legitimate security findings. The company's decision reflects a broader challenge facing open source projects as automated tools enable low-effort bounty hunting at scale.

Originally launched to supplement Turso's extensive testing infrastructure—including a native Deterministic Simulator, fuzzers, and differential testing against SQLite—the program successfully identified genuine vulnerabilities through human creativity. Five researchers earned rewards, including contributors who later joined the team. However, the program's financial incentive became irresistible to AI operators who could generate submissions in minutes, forcing maintainers to spend hours triaging nonsensical pull requests.

Examples of spam submissions included manually injecting garbage bytes into database headers and claiming SQL execution capability as a critical vulnerability. Turso's attempted vouching system failed when bots simply reopened closed issues. The asymmetric effort required—minutes for spammers versus hours for legitimate review—made the program unsustainable.

Turso's experience illustrates how AI automation threatens traditional open source contribution models. By removing financial incentives while maintaining open contribution policies, the company hopes to preserve genuine community engagement without the burden of automated noise. Other projects may need similar adaptations as AI-generated content continues proliferating across development platforms.