Turso kills its data-corruption bounty after LLM slop drowns maintainers

Turso, the team rewriting SQLite, is ending its year-old $1,000 bounty for bugs that demonstrably cause data corruption. The program paid out to five contributors, including one who was later hired and another whose formal-methods approach surfaced more than ten bugs in SQLite itself. The original design — requiring submitters to extend Turso’s deterministic simulator to prove the bug — kept the signal-to-noise ratio high for most of the program’s life.

That collapsed once LLM-generated submissions arrived at scale. Maintainers describe a flood of PRs that manually injected garbage into database headers, added out-of-bounds writes to the source to manufacture corruption, or breathlessly reported that a SQL database executes SQL. A vouching system that auto-closed suspected bot submissions briefly helped, but the bots adapted, opening complaint issues demanding manual review or simply resubmitting under fresh accounts. The economic asymmetry is the core problem: a minute of generation costs the submitter nothing, while triage costs maintainers hours.

Turso frames the shutdown as a governance lesson for open source generally — when a monetary reward meets an open contribution model in the LLM era, the incentive structure breaks. Rather than close the project to outside contributions, they’re removing the money. The company is publicizing the decision to push peers to share similar findings as projects work out new norms.