AI Might Cut False Positives, but It Won’t Stop the Slop

The adoption of advanced AI models in vulnerability research has reshaped bug bounty ecosystems. Platforms such as GitHub report a sharp uptick in AI‑assisted submissions, many of which arrive without reproducible proof of concept or target ineligible issues. To preserve signal quality, GitHub has refined its criteria for what constitutes a "complete" report, echoing a broader industry trend of tightening intake standards as the volume of speculative findings swells.

Frontier models like Anthropic’s Mythos demonstrate notable technical strides. In Cloudflare’s internal testing, Mythos chained exploits and generated its own PoC code, reducing false positives compared with legacy scanners. Yet the practical outcome was modest: out of 178,000 lines of curl code, Mythos flagged five vulnerabilities, four of which proved either false or negligible, leaving a single low‑severity fix for the June release. This underscores that while AI can automate initial discovery, human verification remains the bottleneck for actionable security intelligence.

For security teams, the key is balancing AI’s speed with disciplined validation. Treating AI as a "force multiplier" means encouraging researchers to submit reproducible, impact‑driven findings while filtering out speculative noise. Programs that enforce proof‑of‑concept requirements can maintain triage efficiency and protect against resource drain. As models continue to mature, the industry can expect incremental reductions in false positives, but the necessity for expert human oversight will persist, shaping the next evolution of bug bounty economics and talent allocation.