Vulnerability Reports: Increase in Quantity, Decrease in Quality?

The cURL project’s recent decision to suspend its HackerOne bounty program underscores a growing tension between traditional vulnerability hunting and generative AI. In the first weeks of 2026, Daniel Stenberg’s team reviewed 20 submissions, seven of which arrived within a 16‑hour window and none proved exploitable. Compared with 2024, report volume doubled in 2025 and is projected to triple by year‑end, while the proportion of confirmed flaws slipped from roughly 15 % to under 5 %. These figures illustrate how AI‑driven scanners can flood platforms with plausible‑looking but inaccurate findings, forcing security teams to spend disproportionate time on false positives.

The surge has reignited debate over bounty economics. Fixed‑price rewards that once attracted skilled hunters now appear to incentivize low‑cost, AI‑augmented spray‑and‑pray attacks, especially when modest payouts cover the cost of automated tooling. Platforms such as HackerOne respond by layering AI triage, tighter scope definitions, and gating mechanisms, yet Stenberg’s migration to GitHub signals that even sophisticated mediators struggle to filter noise without eroding researcher goodwill. Industry voices, from the Cyber Threat Alliance to Luta Security, warn that unchecked volume can generate technical debt faster than organizations can patch, threatening the overall efficacy of coordinated vulnerability disclosure.

To preserve bug bounties as a viable security lever, organisations must recalibrate incentives and invest in hybrid triage pipelines. Reducing payouts for low‑severity or low‑confidence reports, coupled with automated credibility scoring, can discourage mass‑generated submissions while still rewarding genuine discoveries. Simultaneously, expanding human expertise—through dedicated vulnerability analysts or managed‑service partners—ensures that AI‑produced leads are vetted swiftly. As generative models become more proactive, the industry’s ability to balance cost, speed, and accuracy will determine whether bug bounty programs remain a net positive or become a costly signal‑to‑noise exercise.