Johan Hutting

Excited for #JCON EUROPE 2026? See Balkrishna Rawool at #JCON2026 in Cologne talking about '#VirtualThreads, Structured #Concurrency and Scoped #Values: Putting it All Together'

Project #Loom brings lightweight concurrency to #Java with …

🎟️ 2026.europe.jcon.one/tickets
Free for #JUG members

Excited for #JCON EUROPE 2026? See Johan Hutting at #JCON2026 in Cologne talking about 'Have You Gone #MADR?'

We all know the #challenge of #remembering why a certain decision was made and why we decided not to go for a specific alternative …

🎟️ 2026.europe.jcon.one/tickets
Free for #JUG members

Some of the best moments of the JNation 2025 conference in Coimbra, Portugal. JNation 2025 Highlights

If you were in Coimbra last May, you’ll remember it.

Two days of technical depth. Sharp questions. Packed rooms.

JNation returns to Convento São Francisco on 26–27 May.

A new edition is in the making!

Last year’s highlights below.

#JNation #Java #Coimbra

YouTube video by Java Towards Better Checked Exceptions - Inside Java Newscast #107

Let's talk about #Java's checked exceptions - smartly. Not whether we should have them (that ship has sailed) but where the friction comes from and what could be done to reduce it:

www.youtube.com/watch?v=99s7...

Excited for #JCON EUROPE 2026? See Nupur Agarwal at #JCON2026 in Cologne talking about '1. From #Bytes to Brilliance: #Optimizing Large File Delivery in #REST APIs with #SpringBoot'

In this talk, we’ll walk through a real-world journey of ...

🎟️ 2026.europe.jcon.one/tickets
Free for #JUG members

AssertJ quote from the GitHub Secure Open Source Fund: "We shifted security from a stretch goal to a core requirement."

📢 AssertJ joined the GitHub Secure Open Source Fund, a program that leveled up security across 67 open source projects.

What changed for us: SHA pinning, immutable releases, incident response plan, and a mindset shift toward security awareness 🔒

The impact? More robust JVM assertions 🚀

Java Conferences with closing CFP in the next 15 days:

JJUG CCC 2026 Spring Closes: 1 March 2026
DevBcn Closes: 28 February 2026
Devoxx Poland Closes: 28 February 2026

If you want to add your conference, please submit it at https://javaconferences.org/

We are happy to have JUG Noord back as a partner of #JCON2026!

For all #JUG members we offer 1,000 free #JavaUserGroup tickets!
First come, firste serve!
#JCON #Java

Free JUG ticket: pretix.eu/impuls/eur...

Become a partner JUG: jcon.koeln/#partner

Had an extensive conversation with Marco at @jetbrains.com about the future of @graalvm.org, the benefits of ahead-of-time compilation, and whether AI is going to take over compiler development 😉.

Building a C compiler with a team of parallel Claudes Anthropic is an AI safety and research company that's working to build reliable, interpretable, and steerable AI systems.

So, Antropic released a 42s promo video of Opus 4.6 generating a working C-compiler 🙃

Impressive, but if you're looking for details and some more nuance by the 'conductor', this is a good read: www.anthropic.com/engineering/...

YouTube video by Kai Lentit Interview with a ‘Just use a VPS’ bro (OpenClaw version)

"Now I can show you how to do this on Arch, btw." 🤣

www.youtube.com/watch?v=40Sn...

Organise an internal meetup with three great speakers 🤩
Have everyone in the building evicted just after the third session starts 🫤

There's a first time to everything, and at least now we'll have an excuse to organise the next meetup on short term 😅

The JCON shirts are true gems every year - and as a speaker, you'll even get one for free 🤩

YouTube video by Java LazyConstants in JDK 26 - Inside Java Newscast #106

Lazily initializing fields in #Java is error-prone and undermines constant-folding. JDK 26 comes with JEP 526, which previews `LazyConstant` - the remedy to this malady.

More details in Inside Java Newscast #106 - join me for the premiere tomorrow morning, 0700 UTC:
www.youtube.com/watch?v=BZlX...

Voucher redemption :: JCON EUROPE 2026

Meet the #JUnit team in Cologne, Germany, in April at #JCON!

@marcphilipp.de will give a talk about the road to JUnit 6 and Christian and Rien will be attending as well.

Please use the following link to support JUnit (10% of the proceeds will go back to the project):
pretix.eu/impuls/europ...

GitHub - JosePaumard/2026_Jfokus-Loom-lab Contribute to JosePaumard/2026_Jfokus-Loom-lab development by creating an account on GitHub.

The Loom Lab JDK 26 V1 edition is out! Comes with Timeout management and Scoped Values. You can grab it here: github.com/JosePaumard/...

This is a @josepaumard.bsky.social appreciation post.

There's a reason I don't use self check-out unless I only have 2-3 things to purchase. If more customers would do that, more people would be hired as cashier again.

Plus waiting in line is a great moment to disconnect/think 👍

What I’m hearing: large open source projects are being absolutely hammered by AI-generated security reports. To the point of not being able to handle them.

Feeling is lots of ppl want an easy way to put a CVE on their CV and collect $$ for bug bounty.

Super bad for maintainers

HTTP/3 support is coming in #Java 26. 👇🏾

Enjoy! I think we'll get some fresh flat snow this evening, 2-3cm or so 😂🤦

(And yes, the only hill-like features we have here in Fryslân are dunes & man-made terp 🙃)

What are those rock-like things in the background? 🤔

www.sonarsource.com/blog/ai-codi...

Great article that highlights a dilemma a lot of developers are facing right now: trusting the AI-generated code. The amount of effort and attention needed is far greater than with code written by a colleague.

The end of the curl bug-bounty tldr: an attempt to reduce the _terror reporting_. **There is no longer a curl bug-bounty program.** It officially stops on January 31, 2026. After having had a few half-baked previous takes, in April 2019 we kicked off the first real curl bug-bounty with the help of Hackerone, and while it stumbled a bit at first it has been quite successful I think. We attracted skilled researchers who reported plenty of actual vulnerabilities for which we paid fine monetary rewards. We have certainly made curl better as a direct result of this: **87 confirmed vulnerabilities and over 100,000 USD** paid as rewards to researchers. I’m quite happy and proud of this accomplishment. I would like to especially highlight the awesome Internet Bug Bounty project, which has paid the bounties for us for many years. We could not have done this without them. Also of course Hackerone, who has graciously hosted us and been our partner through these years. Thanks! ## How we got here Looking back, I think we can say that the downfall of the bug-bounty program started slowly in the second half of 2024 but accelerated badly in 2025. We saw an explosion in AI slop reports combined with a lower quality even in the reports that were not obvious slop – presumably because they too were actually misled by AI but with that fact just hidden better. Maybe the first five years made it possible for researchers to find and report the low hanging fruit. Previous years we have had a rate of somewhere north of 15% of the submissions ending up confirmed vulnerabilities. Starting 2025, the confirmed-rate plummeted to below 5%. Not even one in twenty was _real_. The never-ending slop submissions take a serious mental toll to manage and sometimes also a long time to debunk. Time and energy that is completely wasted while also hampering our will to live. I have also started to get the feeling that a lot of the security reporters submit reports with a _bad faith attitude._ These “helpers” try too hard to twist whatever they find into something horribly bad and a critical vulnerability, but they rarely actively contribute to actually _improve_ curl. They can go to extreme efforts to argue and insist on their specific current finding, but not to write a fix or work with the team on improving curl long-term etc. I don’t think we need more of that. There are these three bad trends combined that makes us take this step: the mind-numbing AI slop, humans doing worse than ever and the apparent will to poke holes rather than to help. ## Actions In an attempt to do something about the sorry state of curl security reports, this is what we do: * We no longer offer any monetary rewards for security reports – no matter which severity. In an attempt to remove the incentives for submitting made up lies. * We stop using Hackerone as the recommended channel to report security problems. To make the change immediately obvious and because without a bug-bounty program we don’t need it. * We refer everyone to submit suspected curl security problems on GitHub using their _Private vulnerability reporting_ feature. * We continue to immediately _ban and publicly_ _ridicule_ everyone who submits AI slop to the project. ## Maintain curl security We believe that we can maintain and continue to evolve curl security in spite of this change. Maybe even improve thanks to this, as hopefully this step helps prevent more people pouring sand into the machine. Ideally we reduce the amount of wasted time and effort. I believe the best and our most valued security reporters still will tell us when they find security vulnerabilities. ## Instead If you suspect a security problem in curl going forward, we advise you to head over to GitHub and submit them there. Alternatively, you send an email with the full report to `security @ curl.se`. In both cases, the report is received and handled privately by the curl security team. But with _no monetary reward offered_. ## Leaving Hackerone Hackerone was good to us and they have graciously allowed us to run our program on their platform for free for many years. We thank them for that service. As we now drop the rewards, we feel it makes a clear cut and displays a clearer message to everyone involved by also moving away from Hackerone as a platform for vulnerability reporting. It makes the change more visible. ## Future disclosures It is probably going to be harder for us to publicly disclose every incoming security report in the same way we have done it on Hackerone for the last year. We need to work out something to make sure that we can keep doing it at least imperfectly, because I believe in the goodness of such transparency. ## We stay on GitHub Let me emphasize that this change does not impact our presence and mode of operation with the curl repository and its hosting on GitHub. We hear about projects having problems with low-quality AI slop submissions on GitHub as well, in the form of issues and pull-requests, but for curl we have not (yet) seen this – and frankly I don’t think switching to a GitHub alternative saves us from that. ## Other projects do better Compared to others, we seem to be affected by the sloppy security reports to a higher degree than the average Open Source project. With the help of Hackerone, we got numbers of how the curl bug-bounty has compared with other programs over the last year. It turns out curl’s program has seen more volume and noise than other public open source bug bounty programs in the same cohort. Over the past four quarters, curl’s inbound report volume has risen sharply, while other bounty-paying open source programs in the cohort, such as Ruby, Node, and Rails, have not seen a meaningful increase and have remained mostly flat or declined slightly. In the chart, the pink line represents curl’s report volume, and the gray line reflects the broader cohort. Inbound Report Volume on Hackerone: curl compared to OSS peers We suspect the idea of getting money for it is a big part of the explanation. It brings in real reports, but makes it too easy to be annoying with little to no penalty to the user. The reputation system and available program settings were not sufficient for us to prevent sand from getting into the machine. The exact reason why we suffer more of this abuse than others remains a subject for further speculation and research. ## If the volume keeps up There is a non-zero risk that our guesses are wrong and that the volume and security report frequency will keep up even after these changes go into effect. If that happens, we will deal with it then and take further appropriate steps. I prefer not to overdo things or _overplan_ already now for something that ideally does not happen. ## We won’t charge People keep suggesting that one way to deal with the report tsunami is to _charge_ security researchers a small amount of money for the privilege of submitting a vulnerability report to us. A _curl reporters security club_ with an entrance fee. I think that is a less good solution than just dropping the bounty. Some of the reasons include: * Charging people money in an International context is complicated and a maintenance burden. * Dealing with charge-backs, returns and other complaints and friction add work. * It would limit who could or would submit issues. Even some who actually find legitimate issues. Maybe we need to do this later anyway, but we stay away from it for now. ## Pull requests are less of a problem We have seen other projects and repositories see similar AI-induced problems for pull requests, but this has not been a problem for the curl project. I believe for PRs we have better much means to sort out the weed with automatic means, since we have tools, tests and scanners to verify such contributions. We don’t need to waste any human time on pull requests until the quality is good enough to get green check-marks from 200 CI jobs. ## Related I will do a talk at FOSDEM 2026 titled Open Source Security in spite of AI that of course will touch on this subject. ## Future We never say never. This is now and we might have reasons to reconsider and make a different decision in the future. If we do, we will let you know. These changes are applied now with the hope that they will have a positive effect for the project and its maintainers. If that turns out to not be the outcome, we will of course continue and apply further changes later. ## Media Since I created the pull request for updating the bug-bounty information for curl on January 14, almost two weeks before we merged it, various media picked up the news and published articles. Long before I posted this blog post. * The Register: Curl shutters bug bounty program to remove incentive for submitting AI slop * Elektroniktidningen: cURL removes bug bounties * Heise online: curl: Projekt beendet Bug-Bounty-Programm * Neowin: Beloved tool, cURL is shutting down its bug bounty over AI slop reports * Golem: Curl-Entwickler dreht dem “KI-Schrott” den Geldhahn zu * Linux Easy: cURL chiude il programma bug bounty: troppi report generati dall’AI * Bleeping Computer: Curl ending bug bounty program after flood of AI slop reports * The New Stack: Drowning in AI slop, cURL ends bug bounties * Ars Technica: Overrun with AI slop, cURL scraps bug bounties to ensure “intact mental health” * PressMind Labs: cURL ko?czy program bug bounty – czy to koniec jako?ci zg?osze?? * Socket: curl Shuts Down Bug Bounty Program After Flood of AI Slop Reports Also discussed (indirectly) on Hacker News.

The end of the #curl bug-bounty

https://daniel.haxx.se/blog/2026/01/26/the-end-of-the-curl-bug-bounty/

GraalVM 25.0.2 is now available! 🚀

Upgrade to get the latest security updates and improvements.

Release notes: www.graalvm.org/release-notes/
Downloads: www.graalvm.org/downloads/

On June 4th, an amazing #Java conference will take place in Utrecht: 𝐉-𝐒𝐩𝐫𝐢𝐧𝐠! Our Call for Papers is open until 28 February 2026.

Submit here to get the chance to speak to a packed cinema room! sessionize.com/jspring26 @nljug.bsky.social

The Discourse is a Distributed Denial-of-Service Attack In September 2016, the security journalist Brian Krebs had his website knocked offline by a botnet called Mirai. Hundreds of thousands of compromised devices, mostly cheap webcams and DVRs manufactured with default passwords that nobody ever changed, all simultaneously requesting his homepage. No single request was malicious. Each packet was

It's not that intelligent people have become stupid. It's that the incentive structure of public conversation rewards cocksureness regardless of actual intelligence...

www.joanwestenberg.com/the-discour...

What if you could perform actions in IntelliJ IDEA without having to know the shortcuts? Command completion, an extension of regular code completion, offers you relevant action right in your editor.… Command completion: No more shortcuts!

What if you could perform actions in #IntelliJIDEA without having to know the shortcuts? Command completion, an extension of regular code completion, offers you relevant action right in your editor. Learn more in this video by @maritvandijk.bsky.social 📹 👇
youtu.be/waY6HAmyHOw

My talk ‘Making sense of vector databases’ was in the Top 10 best rated talks at #JFall 2025. 🍁
Thank you @nljug.bsky.social for the opportunity 🙏 and to all the people who joined the session and showed so much love! 🧡

Feeling proud to be in the company of these legends!

WasmGC is coming to GraalWasm, unlocking the power of JVM garbage collectors for #WebAssembly! This will also get GraalWasm a lot closer to implementing the full Wasm 3.0 spec.

Join @ssmith.bsky.social and me at @jfokus.se next month to learn more: www.jfokus.se/talks.html?s...