AI Slop Floods Bug Bounty Programs as Companies Struggle with Fake Reports
Artificial intelligence is causing problems for companies relying on bug bounty programs by generating large volumes of false or low-quality vulnerability reports. This surge in AI-generated spam has led some organizations to temporarily halt their bug bounty programs, as security teams struggle to filter genuine threats from irrelevant submissions. Major tech firms like Meta, Microsoft, Apple, and Crypto.com collectively paid at least $58 million to researchers in 2025 for valid bug discoveries, highlighting the scale of these programs. Platforms like Bugcrowd noted that most recent submissions were fake, and companies such as HackerOne and Nextcloud have paused paid programs due to difficulties in managing the spam influx. Despite these challenges, AI technology is also advancing vulnerability detection, exemplified by Anthropic’s new Mythos model, which claims to identify some issues faster than humans, though it remains restricted to select partners. There is skepticism about a widespread public release of such advanced tools in the near term.
