Bug bounty programs have long been a key way companies find security flaws before hackers do. They reward independent researchers for spotting vulnerabilities. But now, these programs face a new problem — a flood of AI-generated bug reports. Many are fake or low-quality, and the flood is overwhelming security teams.

AI tools can quickly scan huge amounts of code and generate reports that look real. But most of these reports lack real technical depth or working exploits. Security teams must spend hours sorting through the noise. This slows down the process of fixing genuine bugs. Some companies have even paused or ended their public bounty programs because of this.

For example, the popular cURL project shut down its bug bounty program early this year. Its founder called the surge of AI-generated reports “never-ending slop.” The Linux kernel security mailing list has also become nearly unmanageable because of repeated, duplicate AI submissions. Maintainers now waste time triaging the same issues over and over.

The Bug Bounty Model Under Pressure

Bug bounty programs depend on trust between researchers and companies. Researchers need to trust their work will be fairly rewarded. Companies need to trust reports are accurate and worth investigating. When AI floods programs with weak reports, that trust breaks down.

Many security platforms report a huge jump in submissions this year. One platform saw reports quadruple in just a few weeks. But the share of real, valid findings remains about 25%. That means four out of five reports are noise. This “signal-to-noise” collapse frustrates everyone involved.

Some bounty platforms are cutting rewards to cope. HackerOne, a major player, recently slashed payout amounts by up to 75%. What used to pay $9,000 for a critical bug now pays less than $2,300. Smaller rewards and tougher rules aim to discourage low-quality AI submissions.

Finding a Way Forward

AI isn’t the enemy here. It’s the way it’s used. The problem is many researchers rely on AI to generate reports without verifying or testing them. Reports without proof-of-concept exploits or real validation waste everyone’s time. Leading platforms now require working exploits to accept reports.

This shift means bug hunting will need more human effort in verification and testing. AI can help generate leads, but real expertise is needed to confirm and fix bugs. The industry is moving from rewarding discovery alone to rewarding the entire remediation process.

Some companies are experimenting with stricter submission rules. They want to filter out AI spam while still welcoming new researchers. This includes technical challenges or reputation systems that prioritize trusted contributors. Private bounty programs with vetted researchers may become more common.

AI tools themselves could also improve. Developers could add guardrails to prevent bulk spam submissions. But enforcing this is tough, especially when many tools are open source and widely available.

The flood of AI-generated bug reports shows a broader challenge for cybersecurity. How do you keep quality high when machines can produce vast amounts of content? The answer lies in better tools, smarter policies, and more human judgment. Bug bounty programs must evolve or risk losing their value in the AI era.