Our Take
Bug bounty programs are drowning in AI-generated noise, not because the model is broken but because the volume dial is wide open and the filter is missing.
Why it matters
As AI tools proliferate, the signal-to-noise ratio in security workflows collapses, forcing companies to spend more on triage and researchers to compete for legitimate payouts. The incentive structure that funded security research is now under stress.
Do this week
Security teams: implement automated filters on bounty submission pipelines to reject low-confidence or duplicate findings before human review, and publish explicit exclusion criteria weekly so tooling vendors can tune their crawlers.
Bug bounty platforms face deluge of AI submissions
Corporate vulnerability reward programs are processing a surge of low-quality, often redundant submissions generated by automated AI tools. The Financial Times reports that researchers and program administrators describe the inflow as "never-ending," straining review capacity and diluting the payouts available to human finders.
The problem is structural, not new. Security researchers have always submitted findings; automation simply lowered the cost of submission to near-zero. AI tools can now enumerate potential vulnerabilities, check public databases, and file reports faster than a human team can review them. The result is legitimate findings buried under duplicates, false positives, and noise.
The economics of security research deteriorate
Bug bounties work on signal. A researcher spends weeks auditing code, finds a real vulnerability, submits it, and collects a payout. That payout funds further research. When the pipeline floods with AI-generated submissions, several things break at once:
- Triage time explodes. Programs must hire more reviewers or slow response times, raising operational cost.
- Payout pools stay fixed. More submissions chasing the same reward dollars means lower average payouts per legitimate finding.
- Researcher morale erodes. If half the submissions are noise, trust in the program degrades and experienced researchers migrate to other channels.
Companies benefit from a robust researcher community. When that community loses economic viability, the supply of high-quality vulnerability disclosures shrinks. The feedback loop is negative: less reward for real work, fewer real researchers, more reliance on automated scanning, more noise.
What program operators should do now
Ban or heavily rate-limit AI-generated submissions at the intake level. Set explicit rules: no bulk submissions, no submissions from known AI vulnerability scanners without prior approval, no duplicates of findings already in your database. Publish a machine-readable API contract that defines what you will and will not accept.
Separately, invest in better triage tooling. Automated deduplication, severity scoring, and researcher reputation signals can help humans focus on the signal. If you cannot build it, buy it or partner with a platform that can.
Finally, adjust your payout model to reflect the new labor split. If researchers are competing with free AI submissions, increase bounties for findings that require human insight (business logic flaws, supply chain risks, threat modeling) and decrease them for low-hanging fruit that AI already covers well. Let the market price signal where human expertise still commands a premium.