In brief – Companies running bug bounty programs report a sharp increase in low-quality AI-generated submissions. – HackerOne and Nextcloud both suspended bug bounty programs after waves of fake reports. – Security firms say AI tools are changing bug hunting by making it easier…
submit reports at scale. Artificial intelligence is creating a new headache for companies that rely on bug bounty programs to uncover software vulnerabilities
Cybersecurity firms and open-source software projects are dealing with a surge of AI-generated bug reports, many of which are false or misleading. That’s per a report from Financial Times, which says that the growing number of low-quality submissions is forcing some organizations to pause bug bounty programs as security teams spend more time sorting real vulnerabilities from spam. Bug bounties have also become big business, with companies including Meta, Microsoft, Apple, and Crypto.com collectively paying at least $58 million in 2025 to researchers who find software flaws before hackers do.
However, generative AI tools are also making it easier to exploit bug bounty programs by producing large volumes of inaccurate or low-quality vulnerability reports at scale. According to San Francisco-based Bugcrowd, reports submitted through its platform more than quadrupled during three weeks in March. The company, whose clients include ChatGPT developer OpenAI, said most of the reports were fake.