AI Deluge: Bug Bounty Programs Forced to Overhaul as AI-Generated Reports Overwhelm Systems
Key Takeaways
- ▸Bug bounty submissions have surged dramatically—Bugcrowd saw reports quadruple in March, and HackerOne reports 76% year-over-year growth—but the vast majority of AI-generated reports are false or low-quality
- ▸Multiple platforms (Curl, Nextcloud) have suspended bug bounty programs entirely due to the overwhelming volume of AI-generated spam, forcing fundamental operational restructuring across the industry
- ▸AI tools like Anthropic's Mythos can help experienced researchers find flaws faster, but they've dramatically lowered barriers to entry for automated or erroneous submissions, creating what security experts call 'absolute carnage'
Summary
Bug bounty platforms are being inundated with low-quality, AI-generated vulnerability reports, forcing some companies to suspend programs entirely. Bugcrowd reported that submissions quadrupled over a three-week period in March, with most proving false, while Curl and Nextcloud have suspended their programs due to the 'explosion' of AI-generated spam. The surge coincides with advances in generative AI tools, including Anthropic's new Mythos cyber security model, which can identify software flaws faster than humans but has dramatically lowered the barrier to entry for automated submissions.
While AI tools enable experienced security researchers to work more efficiently, they're also allowing amateurs and automated systems to flood platforms with spurious reports. Cyber security experts warn the trend is 'quickly becoming a major problem,' with companies forced to implement stricter background checks and AI-powered triage systems to filter submissions. HackerOne reports that submissions jumped 76% year-over-year, though the share of legitimate vulnerability reports has remained steady at 25%, suggesting the increase is driven predominantly by low-quality automated submissions rather than genuine security improvements.
- Bug bounty platforms are implementing stricter filters and AI-powered validation systems to manage the influx, but the long-term viability of programs may depend on better researcher reputation systems and quality signals
Editorial Opinion
While AI tools like Anthropic's Mythos promise to accelerate security research, the deluge of low-quality submissions reveals a critical tension: making tools accessible to legitimate researchers inevitably attracts noise and abuse. The industry's immediate response—stricter filters and AI-powered triage—is necessary but risks becoming an endless arms race. What's really needed is a shift toward researcher reputation systems and quality signals that reward legitimacy over volume.
