AI-Generated Bug Reports Overwhelm Bug Bounty Programs
Quick Look
- AI is flooding bug bounty programs with fake reports, forcing companies like Nextcloud and HackerOne to suspend them.
- This surge in low-quality submissions strains security teams and impacts the effectiveness of these programs, despite significant payouts in the past.
AI-generated summary
Why It Matters
Bug bounty programs are crucial for companies to identify software vulnerabilities before malicious actors do. However, generative AI tools are now being used to create a large volume of low-quality and false bug reports, overwhelming security teams and leading some organizations to pause their programs.
Artificial intelligence is creating a new headache for companies that rely on bug bounty programs to uncover software vulnerabilities.
Cybersecurity firms and open-source software projects are dealing with a surge of AI-generated bug reports, many of which are false or misleading. That's per a report from Financial Times, which says that the growing number of low-quality submissions is forcing some organizations to pause bug bounty programs as security teams spend more time sorting real vulnerabilities from spam.
Bug bounties have also become big business, with companies including Meta, Microsoft, Apple, and Crypto.com collectively paying at least $58 million in 2025 to researchers who find software flaws before hackers do.
However, generative AI tools are also making it easier to exploit bug bounty programs by producing large volumes of inaccurate or low-quality vulnerability reports at scale.
According to San Francisco-based Bugcrowd, reports submitted through its platform more than quadrupled during three weeks in March. The company, whose clients include ChatGPT developer OpenAI, said most of the reports were fake.
Because of the flood of AI-generated reports, some companies have already begun rolling back their public bounty programs.
“Bug bounties are going to stay [but] they’re going to have to change,” Ross McKerchar, chief information security officer at cybersecurity company Sophos, told the Financial Times.
In April, cybersecurity platform HackerOne and hosting platform Nextcloud both suspended their paid bounty program, with Nextcloud adding that “no financial rewards will be awarded for any submissions, regardless of severity.”
“As you are likely aware, this is an industry-wide challenge and like others, we have been unable to find ways to responsibly handle the massive increase of low quality reports,” Nextcloud wrote. “We hope to be able to restart the program once a reliable approach to filtering out the low-effort reports has been found.”
The bug bounty news comes as AI models are becoming increasingly better at finding vulnerabilities. In March, Anthropic introduced Mythos, a cyber-focused AI model that the company says can identify vulnerabilities faster than humans. The company is currently keeping the model under wraps, only allowing access to the likes of tech giants, security firms, and governments.
In April, Claude Mythos identified 271 vulnerabilities in Mozilla Firefox during internal testing, while earlier this month, security researchers said a preview version of the model helped develop an exploit targeting Apple’s M5 chips.
What to Watch
AI outlook — possibilities, not facts
Bug bounty programs will evolve to incorporate more sophisticated AI-driven filtering mechanisms.
Very likely · Within months
Companies may shift towards more curated or private bug bounty programs to manage report quality.
Likely · Within months
Open Questions
- What specific filtering mechanisms will companies implement to combat AI-generated spam?
- Will bug bounty payouts decrease as a result of this challenge?
- How will AI models like Anthropic's Mythos be regulated or managed in the future?
- What is the long-term impact on the cybersecurity talent pool and the effectiveness of bug bounty programs?
