Turso retires its $1,000 data-corruption bug bounty after AI slop flood

Why it matters

AI-generated submissions are reshaping open-source incentives. A simple $1,000 bounty turned into a magnet for LLM spam, burning maintainer time. Founders will need new governance, contribution gates, and incentive designs to keep projects open without getting swamped.

Turso, the SQLite-based database platform, is shutting down its $1,000 data-corruption bug bounty after a flood of AI-generated submissions, CEO Glauber Costa said in a blog post. "For days, our maintainers have done little else other than close slop PRs," Costa wrote, adding that the bounty had become "too juicy of a target for the slop makers."

Why they offered a bounty in the first place

Costa and cofounder CTO Pekka Enberg are rewriting the SQLite engine in Rust to add modern capabilities while preserving reliability. The bar is high: SQLite is famed for stability. Turso has built a heavy test bench to meet it, including a deterministic simulator, fuzzers, an oracle-based differential testing engine against SQLite, a concurrency simulator, and long runs on Antithesis. As Costa put it in the post, the bounty was meant to signal confidence in the methodology and reward anyone who exposed blind spots.

That discipline is part of why people take Turso seriously. Costa came up through the Linux kernel and ScyllaDB before Datadog, where he authored the Glommio Rust async executor; Enberg is a former Linux kernel maintainer. Together they are building Turso as a many-database platform for the age of agents, with a Rust-based, SQLite-compatible engine that runs anywhere from servers to the browser. The team is also testing concurrent writes in Turso Cloud, now in early access.

When it worked, it really worked

Before the recent wave of LLM-assisted spam, the program produced exactly the kind of contributors Turso wanted. The company says it paid five individuals. Costa credits Alperen for improving the simulator itself; Mikael for creatively using LLMs to probe untested paths (Turso later hired him); and Pavan Nambi (@glcst), who paired the simulator with formal methods and uncovered bugs not only in Turso but more than ten issues in SQLite itself.

The premise was simple: if someone could demonstrate a reproducible corruption case by extending the simulator, Turso would pay. It set a high bar and focused energy on gaps in test generation that automated tools would miss.

Then the slop machine arrived

According to Costa, that changed when LLM tools made it trivial to generate plausible-sounding but incorrect bug reports. A $1,000 bounty for a specific class of issues created the wrong incentive. The result: maintainers spent days triaging and closing AI-written PRs claiming data corruption. "We want to make every effort possible to keep the doors of Turso open," he wrote, but the bounty itself was making open contribution "close to impossible."

Turso is retiring the program to protect its contributors and maintainers while keeping the project open. And Costa is using the moment to call for broader norms: "We believe that we will all have to find new ways to establish good governance in this new era, and should learn from each other," he wrote in the post.

What does this mean for users and contributors

The end of the bounty is not a rollback of Turso’s testing regimen. The simulator, fuzzers, and external validation will continue to evolve, and the company still plans to expand scope and rewards for quality contributions after a stable 1.0. In the near term, the message is clear: the project stays open, but governance will tighten to filter out LLM noise. For users building on Turso’s engine and Turso Cloud, the roadmap continues, including early access to concurrent writes.