AI-Generated Reports Flood Tech Bug Bounty Programs

Generative AI tools are flooding corporate bug bounty programs with low-quality and fake vulnerability reports, forcing tech companies to change how they pay researchers.

This shift threatens the stability of crowdsourced security, as the sheer volume of automated submissions overwhelms human security teams and increases the cost of remediation.

Companies pay millions of dollars ^[1] to independent hackers who find software flaws. However, the rise of generative AI allows users to automate the creation of bogus reports. This trend has led to a crisis in how companies manage their Vulnerability Reward Programs.

Industry responses vary across the sector. HackerOne suspended new vulnerability submissions and paused its Internet Bug Bounty program ^[2]. Other firms are exploring stricter verification checks and defensive AI to filter the noise ^[3]. Google has also cut payouts in its reward programs due to these AI-driven disruptions ^[4].

Despite the surge in fake reports, AI has also improved the ability of researchers to find genuine flaws. The capacity for AI to discover major software bugs grew by 490% ^[5] year-on-year. This creates a paradox where security teams must filter through more noise to find more sophisticated vulnerabilities.

Data from 2025 shows that valid bug bounty submissions reached 85,000 ^[3]. This represents a seven percent ^[3] year-on-year increase in legitimate reports. While the number of valid finds continues to grow, the ratio of fake to real submissions has shifted significantly as automation becomes more accessible.

Security teams now face a mounting burden of manual review. The automation of report generation means that a single actor can submit hundreds of low-quality claims in the time it previously took a human to submit one well-documented flaw.