Security platforms and open-source projects are being overwhelmed by a surge of low-quality, AI-generated bug reports that have forced program suspensions and prompted new validation and triage measures.
Bug bounty programs and security platforms are facing a sudden influx of AI-generated, low-quality vulnerability reports that has overwhelmed triage workflows and forced some projects to pause payments. Bugcrowd said reports more than quadrupled over a three — week stretch in March, producing a large volume of mostly false submissions and unusually high review loads for customers including OpenAI, T‑Mobile, and Motorola. The spike has already prompted operational changes and suspensions at affected programs.
Several open-source projects suspended or altered their bounties after the influx. curl halted its paid bounty in January, blaming an “explosion in AI slop reports” and a downturn in submission quality, while Nextcloud paused its program in April due to a “massive increase of low-quality reports.” curl’s creator, Daniel Stenberg, said the “never — ending slop” has taken “a serious mental toll to manage and sometimes also a long time to debunk.
Platform operators report similar pressure. HackerOne said submissions rose 76 percent in the year to March, but only about a quarter of reports were flagging legitimate vulnerabilities. To cope with volume, HackerOne has introduced new agentic validation capabilities intended to filter and prioritize submissions before human review. The recent rollout of Anthropic’s cyber AI model, Mythos, has also been cited as a factor accelerating automated flaw finding and increasing automated submissions.
Security experts warn the economics and workflows of bug bounties are shifting. Ross McKerchar of Sophos called the spike in poor-quality AI reports “quickly becoming a major problem,” and added that while bug bounties are likely to remain, “they’re going to have to change.” Observers say generative AI both accelerates skilled hunters and lowers the barrier to entry for automated or inexperienced contributors, changing how value is produced and assessed.
Researchers describe three contributor cohorts driving the surge. One group comprises amateurs using AI tools to probe targets and submit noise. A second includes well-meaning researchers sometimes misled by AI agents into false positives. The third, and most consequential, consists of experienced AI builders creating end-to-end automated scanning and submission systems that multiply low-value findings and amplify noise for triage teams.
Organizations are adjusting operationally to protect reviewer capacity and program integrity: instituting stricter background checks, tightening intake rules, and deploying AI agents to triage and validate incoming reports. Platform representatives emphasize that AI-assisted submissions can also be high-quality; HackerOne’s Kara Sprague said the rise in AI usage is “not a strong reason to say we don’t want them,” while Bugcrowd’s Dave Gerry argued AI will assist but not replace human creativity.
Sources
Replies (0)
No replies in this topic yet.
