Bug Bounty Businesses Bombarded with AI Slop

The bug bounty ecosystem, once hailed as a low‑cost way to tap global security talent, is now grappling with an unexpected side effect of generative AI. Tools that can automatically scan code and draft vulnerability reports have democratized participation, allowing amateurs and automated bots to flood platforms with submissions. While the total number of findings has risen dramatically, the signal‑to‑noise ratio has deteriorated, forcing program managers to allocate more resources to triage rather than remediation.

Companies such as Curl and Nextcloud have taken the drastic step of suspending their paid bounty programs, citing the mental toll and operational drag of sifting through endless AI‑generated noise. The economic calculus of bug bounties—paying per valid discovery—becomes untenable when the majority of reports are false positives. This pressure is prompting a shift toward stricter researcher onboarding, background checks, and the deployment of AI agents that can pre‑filter submissions before they reach human analysts. HackerOne’s recent rollout of “agentic validation” exemplifies how platforms are turning AI against itself to restore efficiency.

Looking ahead, the industry is unlikely to abandon crowd‑sourced testing altogether. Instead, a hybrid model is emerging where AI augments human creativity rather than replaces it. Anthropic’s Mythos and similar models promise faster identification of complex flaws, but they still rely on expert judgment to validate and prioritize. Firms that successfully integrate AI triage while preserving incentives for skilled hunters will maintain a competitive edge in vulnerability management, turning today’s challenge into a catalyst for more sophisticated, cost‑effective security programs.