The Challenge of AI-Generated Reports in Bug Bounty Programs

Fabricated Reports Flooding Platforms at Unprecedented Scale

The digital landscape is experiencing a seismic shift as artificial intelligence (AI) opens new doors for tech innovation—and chaos. A surge in AI-generated "slop" is currently overwhelming corporate bug bounty programs, leading some companies to suspend their initiatives altogether. This trend raises questions about the future of cybersecurity and the integrity of vulnerability reporting.

What Are Bug Bounty Programs?

Since their emergence in the early 2000s, bug bounty programs have significantly expanded, offering monetary rewards to independent researchers for discovering software vulnerabilities. Google, for instance, reported payouts of $17 million in 2025, more than double the amount awarded just four years earlier. Such initiatives have incentivized researchers to rigorously test software, leading to major breakthroughs—like the $605,000 payout for an Android vulnerability discovered in 2022.

However, the rapid proliferation of generative AI tools has altered the dynamics of these programs. Companies are now grappling with an influx of fabricated or inaccurate reports, making it difficult to discern genuine threats from noise.

The Influx of Low-Quality Submissions

Bugcrowd, a leading bug bounty platform serving clients like OpenAI and T-Mobile, witnessed a staggering quadrupling of submissions in just three weeks during March. Unfortunately, the majority of these reports were found to be false positives or generated by AI without adequate oversight.

In January, the widely used internet data transfer tool Curl suspended its paid bug bounty program due to what its creator, Daniel Stenberg, described as an "explosion in AI slop reports." He lamented the exhausting nature of managing such a flood of low-quality findings, which required considerable time and resources to debunk. Similarly, Nextcloud paused its program in April, hoping to relaunch only after improvements in filtering systems.

Lower Barriers, Higher Chaos

Advancements in generative AI have not only increased efficiency for experienced researchers but have also lowered the barrier to entry for novice users. These inexperienced individuals can now mass-produce submissions with minimal technical expertise.

Ross McKerchar, CISO at Sophos, pointed out that the increase in poor-quality reports is quickly becoming a “major problem.” The influx isn’t limited to amateurs; even seasoned researchers are sometimes misled by AI-generated insights. Additionally, skilled AI developers have begun creating fully automated scanning and submission systems that are wreaking havoc in the bug bounty space.

The Role of Cyber-Focused AI Models

In tandem with these challenges, the cyber realm is also witnessing the rise of specialized AI models. For instance, Anthropic recently launched Mythos, a cyber-focused AI designed to identify vulnerabilities faster than human researchers. Alarmingly, the UK’s AI Security Institute evaluated the system and found it capable of executing complex, multi-step cyberattacks with minimal oversight, completing a 32-step enterprise attack simulation autonomously.

Adapting to New Realities

In response to this unprecedented challenge, companies running bug bounty programs are implementing stricter vetting procedures and developing AI-powered filtering tools to process the tidal wave of submissions. HackerOne has introduced new "agentic validation capabilities" to help clients sift through the growing volume of AI-generated findings. CEO Kara Sprague noted a rise in "higher quality" AI-assisted submissions, urging stakeholders not to dismiss AI reports entirely.

Bugcrowd is also adapting by updating its submission policies to prioritize verified findings while curbing speculative automated spam. CEO Dave Gerry believes that AI will ultimately complement skilled human researchers, stating, "AI is going to help with a lot of things, but we’re never going to replace that human creativity."

Conclusion

As the world of cybersecurity evolves rapidly, the influx of AI-generated reports poses significant challenges for bug bounty programs. While the technology holds immense potential for enhancing security measures, the misuse of AI for fabricating low-quality submissions threatens the integrity of these initiatives. The future lies in finding a balance—leveraging AI to complement the irreplaceable human touch that drives true innovation in the field.