Internet Bug Bounty Program Hits Pause on Payouts

The rise of artificial‑intelligence tools has reshaped how security researchers locate vulnerabilities. Machine‑learning models can scan codebases at scale, generating proof‑of‑concept exploits in minutes—a task that once required weeks of manual analysis. This acceleration has flooded bug‑bounty platforms with high‑volume submissions, challenging traditional reward structures that were calibrated for slower, human‑driven discovery. As AI lowers the barrier to entry, programs must reconsider how they allocate limited remediation resources while preserving incentives for deep, novel findings.

The Internet Bug Bounty program, launched in 2012 and backed by major software firms, has paid out more than $1.5 million to date, with roughly 80 % of rewards tied to newly discovered flaws. HackerOne’s recent decision to pause payouts reflects a strategic response to the AI‑driven influx: the ratio of discovery to remediation capacity has shifted dramatically. Projects such as Node.js will still receive reports through HackerOne, but without financial incentives the ecosystem risks losing the motivation that fuels high‑quality, responsible disclosure.

Other open‑source reward schemes are following suit; Curl halted submissions in January and Google recently paused AI‑generated reports for its OSS Vulnerability Reward Program. The convergence of AI and open‑source security forces stakeholders to redesign incentive models, perhaps by rewarding remediation effort, verification depth, or long‑term impact rather than sheer volume. Companies that adapt quickly can preserve a robust vulnerability pipeline, protect critical infrastructure, and maintain trust among developers. Conversely, prolonged funding gaps could widen the exposure gap, inviting exploitation of unpatched flaws at scale.