AI Drives Surge in ‘Bug Bounty’ Reports, but ‘Slop’ Is Rising Too

The rapid adoption of generative AI in software development has turned bug bounty programs into a double‑edged sword. On one hand, AI can scan massive codebases and draft vulnerability reports in minutes, explaining why platforms like Cosmos Labs and HackerOne are seeing submission volumes skyrocket—up 900% for Cosmos Labs and 7% year‑over‑year for HackerOne. This surge brings a higher absolute count of genuine bugs, but it also floods teams with low‑quality, often hallucinated findings that dilute the value of each report.

Security teams, especially in decentralized finance and open‑source projects, now face a resource bottleneck. The creator of curl, a critical data‑transfer library used by countless blockchain nodes, recently terminated his bounty program after being overwhelmed by AI‑generated “slop.” Smaller development groups lack the bandwidth to manually triage thousands of daily submissions, risking missed critical vulnerabilities while expending effort on false positives. The phenomenon underscores a broader industry challenge: balancing the democratization of security research with the need for rigorous validation.

To mitigate the noise, firms are turning to defensive AI solutions that automatically prioritize reports based on researcher reputation, historical accuracy, and exploit severity. Cosmos Labs, for example, is tightening scoring algorithms and partnering with platforms offering advanced triage. As AI continues to lower the cost of report generation, the next wave of bug bounty programs will likely embed AI‑driven filtering as a core component, ensuring that the influx of submissions translates into actionable security improvements rather than operational overload.