Agentic AI Floods Bug Bounties, Forcing Changes to Payouts and Disclosure Timelines

Agentic AI models are accelerating both discovery of software flaws and creation of exploits, producing a surge in vulnerability reports that is reshaping bug-bounty payouts, disclosure timeframes, and how builders prioritize patching and testing.

Agentic AI systems are autonomously finding software vulnerabilities and generating working exploits, producing a sharp rise in submitted bug reports that is already altering the economics of bug-bounty and disclosure programs. This surge matters because it increases payout volumes, compresses remediation timelines, and forces engineering teams to rethink patching and testing priorities under greater time pressure.

The scale of the shift shows up in researcher experience and program histories. Independent security researcher Joseph Thacker says, “I’ve probably submitted three times more bugs than I did last year at this time—I would suspect that a company like Google is going to spend two to 10 times as much on bug payouts as they did last year.” Historical bounty increases provide context: Apple’s top payout climbed from $200,000 when announced in 2016 to $1 million in 2019 and reached $2 million last year.

Evidence that attackers are adopting similar methods has emerged in incident reports. Google researchers said they observed “prominent cyber crime threat actors” attempting to exploit a zero-day that the researchers said was developed with AI tools to bypass two‑factor authentication on an open‑source administration platform. Google notified the platform’s developer, a fix was issued, and John Hultquist of Google’s Threat Intelligence Group described the case as early evidence that attackers are using AI to find novel vulnerabilities and craft exploits.

The growing gap between automated discovery and an organization’s ability to remediate is changing program dynamics. Some researchers are monetizing automated discovery at scale, but firms face rising costs and heavier triage burdens as low-and medium — severity findings flood inboxes. industry watchers warn, however, that smaller organizations lack the resources tech giants have to absorb higher payout volumes and faster remediation cycles.

Those pressures have practical implications for builders and security teams. Long-standing norms such as 90 — day public disclosure windows were designed for a slower era: “The 90 day responsible disclosure window was built for a world where bug finders were rare and exploit development was slow. That world is gone. LLMs have compressed both timelines,” wrote researcher Himanshu Anand. Teams now must balance faster patch deployment with robust testing to avoid outages, and invest in automated scanning, improved triage, and risk‑prioritized patching to keep up with accelerated exploit development.