Bug bounty programs are under pressure like never before. These programs rely on security researchers to find software flaws. But now, AI tools are sending in a flood of low-quality reports. This surge is overwhelming companies and changing how bug bounties work.

In just a few months, some platforms have seen their report volume more than triple. For example, one major bug bounty provider reported an increase from 1.9 million to over 3.2 million monthly submissions. Almost half of these reports are low-value or false positives. They call this the “AI slop” problem.

Many companies feel the strain. cURL, the widely used internet data transfer tool, recently paused its bug bounty program. Its creator said the flood of AI-generated reports took a heavy mental toll. Sorting through endless, often meaningless reports wastes time and energy.

Other organizations are also tightening rules. They’ve raised eligibility checks and started using AI tools themselves to triage reports. This helps filter out the noise, but it’s not a perfect fix. Some skilled human researchers feel sidelined, as the flood of automated reports drowns out their valuable findings.

How AI Changed Bug Hunting

AI has made discovering bugs easier for everyone. That’s good in theory. But it also lowers the barrier to entry. Now, amateurs using AI can submit large volumes of low-quality reports. At the same time, some experts create automated systems that scan and report bugs nonstop. This creates chaos for program managers.

On the bright side, AI helps find complex vulnerability chains. For example, Anthropic’s new AI model, Mythos, can trace multi-step exploits better than humans. This leap means AI can spot bigger security holes faster. But companies are cautious. They often keep these models private to avoid tipping off attackers.

This AI-driven bug discovery boom has pushed disclosure rates up. Some vendors report up to five times more vulnerability reports than before. While this sounds like progress, it also adds stress. Security teams spend hours each week filtering out false leads. They have less time to fix real problems.

What This Means for Security Teams

The flood of AI reports is forcing companies to rethink bug bounty programs. Many are increasing budgets to keep researchers motivated. For example, some Indian IT giants raised payouts by over 30 percent recently. Still, the balance is tricky. More reports mean higher costs and slower response times.

Security experts say bug bounties won’t disappear. Instead, they’ll evolve. Programs will add stricter vetting and smarter AI tools to separate signal from noise. Humans will remain essential for creativity and judgment. AI tools will assist, not replace, real hackers.

Open-source projects face extra challenges. Smaller teams may lack resources to keep pace with AI-driven bug discovery. Attackers also use AI to find new ways to exploit code before fixes arrive. This creates a race between defenders and attackers in the AI era.

Despite the headaches, the AI revolution in security is here to stay. The key will be managing the flood of data and focusing on fixing bugs faster. For now, bug bounty programs are caught in a balancing act between opportunity and overload.