Hackers once earned bounties through technical skill—now they’re gaming the system with AI volume.
The Financial Times, citing Ars Technica, reported an “internal crisis” within the cybersecurity community: corporate Bug Bounty programs are being overwhelmed by AI-generated junk reports.
What’s Happening?
Bug Bounty is a common mechanism in the cybersecurity industry: companies publicly offer rewards to encourage external security researchers to discover and report vulnerabilities in their products. Depending on severity, a discovered vulnerability can earn a researcher anywhere from hundreds to hundreds of thousands of dollars.
It’s a win-win model—companies uncover security issues at lower cost, and researchers earn money through technical expertise.
Now, however, this model is being undermined by AI.
Some actors are using AI tools to mass-generate vulnerability reports and submit them at scale. These reports share several telltale traits:
- Massive volume: A single person can submit dozens—or even over a hundred—reports per day
- Extremely low quality: Most describe known, trivial, or entirely non-existent issues
- Deceptively professional appearance: AI-generated text is well-formatted and uses correct terminology—making it superficially convincing
The FT report dubs this phenomenon “never-ending.” Security teams must now spend enormous time sifting through these AI-generated submissions, trying to extract truly valuable findings from an ocean of noise.
Companies Are Pulling Back
The report notes that some enterprises have already begun reassessing—or even scaling back—their Bug Bounty programs. The reason is straightforward: when AI reduces the barrier to submission to nearly zero, the ROI (return on investment) of bounty programs becomes severely degraded.
Imagine a security team receiving 100 reports per day—95 of which are AI-generated junk, 3 are duplicates of known issues, and only 2 represent genuinely novel, high-priority findings. That means 95% of the team’s time is spent processing garbage.
For many companies, the math simply doesn’t add up.
A Deeper Problem
This mirrors the AI slop crisis facing arXiv—a broader systemic issue: when AI drives the cost of producing content near zero, the cost of verifying content becomes the new bottleneck.
In academia, verifying a paper requires peer review; in security, verifying a vulnerability demands hands-on reproduction and validation by skilled engineers. Across domains, AI asymmetrically disrupts this chain—it makes production trivial, but verification still demands human effort.
What Can Be Done?
The industry is exploring several mitigation strategies:
- Raising submission thresholds: Requiring reports to include executable proof-of-concept (PoC) code—not just textual descriptions
- AI vs. AI filtering: Using AI tools to pre-screen and flag likely AI-generated reports
- Reputation-based scoring: Building credibility profiles for researchers, prioritizing reviews for high-trust submitters
- Submission fees: Charging a small fee per report to raise the cost of bulk spamming
Yet each approach has drawbacks. Raising thresholds may inadvertently exclude legitimate novice researchers; AI-vs.-AI filtering risks devolving into a cat-and-mouse arms race; reputation systems disadvantage newcomers; and submission fees contradict the open, inclusive ethos of Bug Bounty.
This Isn’t Unique to Bug Bounty
The struggles of the Bug Bounty industry are merely one slice of a much larger trend. From arXiv to content platforms to customer support systems—any model built on “human-submitted content + human-reviewed verification” is now under pressure from AI-generated content.
When AI makes “talking nonsense” effectively free, the price of “listening for truth” becomes prohibitively expensive.