AI-driven bug reports overwhelm bounty programs

Bug bounty platforms and security teams reported a sharp surge of AI-generated vulnerability reports in March and April, leading some programs to suspend paid rewards. Bugcrowd reported that submissions on its platform more than quadrupled over three weeks in March and that many of the additional reports lacked credibility.

HackerOne paused its paid bounty program in April. Nextcloud halted its paid program and wrote that “no financial rewards will be awarded for any submissions, regardless of severity” while it seeks a reliable way to filter out low-effort reports.

Security teams say the volume of automated, low-quality reports is increasing the time analysts spend on triage and verification. Automated tools can produce structured write-ups and suggested exploit steps at scale, creating more items for engineers to check before confirming a genuine vulnerability.

Ross McKerchar, chief information security officer at Sophos, warned that bug bounty programs will remain in place but will need changes to handle the new volume and type of submissions. Teams that run bounties must limit automated noise without removing incentives for skilled researchers.

Bug bounty payouts remain a significant part of corporate security work. Major companies including Meta, Microsoft, Apple and Crypto.com together paid at least $58 million in 2025 to researchers who reported exploitable flaws.

Some organizations are tightening submission rules, adding stronger automated filtering, or moving more work to private programs for trusted researchers as they test new intake controls. Open-source projects and smaller teams have in some cases paused public payouts while they redesign intake processes.

At the same time, developers of advanced AI models are using those tools to find real vulnerabilities. A cyber-focused model developed by Anthropic underwent internal testing that identified 271 issues in a major browser, and a preview version was reported to have helped develop an exploit targeting Apple’s M5 chips. Access to that model remains limited to governments, security firms and large tech customers while its creators refine capabilities and safeguards.

Nextcloud described the surge as an industry-wide challenge and said it has not yet found a responsible way to process the high volume of low-quality reports. The company added it hopes to restart paid rewards once it finds a reliable filtering approach.

Companies running bounty programs must now balance faster automated detection and the risk of high-volume, low-value submissions as they adjust rules, filtering and who can submit reports.