Loading...
Loading...
Turso is ending its $1,000 bug bounty for data-corruption issues after nearly a year, citing an influx of low-quality, spammy submissions that overwhelmed maintainers and threatened its open-contribution workflow. The bounty had backed rigorous testing around a SQLite rewrite—deterministic simulators, fuzzing, differential testing, concurrency simulations, and Antithesis runs—and paid a handful of researchers who found substantive bugs. Turso framed the retirement as a prompt for wider open-source governance and incentive redesign in an era of AI-assisted submissions, arguing financial bounties can invite noise that undermines maintainers’ capacity and collaborative workflows despite producing some real security value.
Turso's decision affects how maintainers balance incentive programs with engineering capacity and open contribution workflows. Tech professionals should reassess bounty designs and triage processes in the face of higher-volume, AI-assisted low-quality reports.
Dossier last updated: 2026-05-19 19:54:13
Turso engineers and community member Pavan Nambi used Quint, a TLA-inspired specification and model-checking tool, to model the SQLite C API and run generated traces against the real SQLite implementation. By incrementally specifying API contracts, producing traces, and comparing expected vs. observed behavior, they both validated their Quint models and uncovered divergences in SQLite. One concrete finding involved sqlite3_deserialize(), where the observed behavior did not match documented semantics (e.g., SQLITE_BUSY conditions), leading to discovery of more than ten bugs in SQLite so far. This approach strengthened Turso’s testing posture and highlights how accessible formal methods can surface real-world defects in widely used database software.
Turso engineers and community contributor Pavan Nambi used Quint, a TLA-based but developer-friendly formal-methods tool, to model the documented SQLite C API and generate execution traces to validate behavior against real SQLite. Instead of modeling all of SQLite, they targeted individual documented API contracts, produced traces, ran them on SQLite, and compared observed outputs to the spec. That process produced counterexamples revealing deviations—more than ten bugs uncovered in SQLite so far—illustrated by a discrepancy in sqlite3_deserialize() error behavior around SQLITE_BUSY during read transactions or backups. The effort shows practical formal methods accelerating reliability testing and hardening of Turso’s SQLite-compatible C API.
How we used Quint to find over 10 bugs in SQLite while hardening Turso
Turso is retiring its $1,000 bug bounty for data-corruption bugs after almost a year because the program attracted a flood of low-quality, spammy submissions that overwhelmed maintainers. The initiative began to validate and augment Turso’s heavy testing stack—deterministic simulator, fuzzers, differential testing vs. SQLite, concurrency simulator and Antithesis runs—and paid five researchers who found real issues. But the financial incentive became a magnet for “slop” PRs, threatening the project’s open-contribution model and maintainer capacity. Turso frames the move as a prompt for the broader OSS community to rethink governance and incentives around security and reliability testing in the age of automated and AI-assisted submissions.
Turso is retiring its bug bounty program that paid $1,000 for any demonstrable bug leading to data corruption, according to a May 12, 2026 post by Glauber Costa. The company said the program has become a target for “slop” submissions—low-quality pull requests and claims of corruption bugs—consuming maintainer time and threatening Turso’s open-contribution workflow. Turso launched the bounty while rewriting SQLite and used it to signal confidence in its reliability work, which includes a deterministic simulator, fuzzers, oracle-based differential testing against SQLite, a concurrency simulator, and Antithesis runs. The bounty was intended to run until a 1.0 release, with plans to expand rewards and scope later. Turso said it is sharing the decision to inform broader open-source governance discussions.