Bug bounty businesses bombarded with AI slop

Bug bounty platforms face a flood of low-quality AI-generated submissions that waste researcher time and platform resources. These platforms, which pay security researchers for finding vulnerabilities, now deal with hundreds of useless reports daily from automated tools and large language models generating fake or trivial security issues.

The problem stems from two sources. First, researchers use AI tools to scan codebases and generate potential vulnerability reports at scale, flooding platforms with false positives. Second, bad actors deliberately submit AI-generated spam to exploit reward programs or clutter legitimate findings.

HackerOne, Bugcrowd, and other major platforms report that filtering AI slop consumes significant staff hours. Triaging teams must manually review each submission to determine if it represents a real security flaw or just noise. The overhead slows response times for legitimate researchers and creates bottlenecks that reduce program effectiveness.

Real security researchers suffer the most. Their genuine findings get buried in submission queues. Platforms struggle to prioritize high-value reports when they process thousands of AI-generated chaff daily. Some researchers report their serious vulnerabilities take weeks longer to review now than previously.

Platform operators implemented initial defenses. HackerOne and Bugcrowd added AI detection systems and stricter submission requirements. Some require researchers to provide proof-of-concept code or detailed explanations before acceptance. But these measures remain imperfect.

The economics create perverse incentives. Low-quality submissions cost nothing to generate and require zero expertise. If even a tiny percentage slip through and earn bounties, the attacker profits. Meanwhile, legitimate researchers who invest time and skill face longer review periods and increased friction.

This mirrors broader problems with AI-generated content flooding online platforms. Just as email spam adapted to filters, malicious actors refine their AI submission techniques. The arms race between platform defenses and submission automation continues.

Bug bounty programs remain