TL;DR
AI-assisted vulnerability discovery has broken the bug bounty model. HackerOne paused its Internet Bug Bounty program, Curl killed its bounty payments (then quietly came back without them), and Linus Torvalds calls the Linux kernel’s security mailing list “almost entirely unmanageable.” Report volumes are up 76% year-over-year, but only 25% flag real flaws. The same AI models also found 500+ zero-days in major projects and drove CVE disclosure surges of 563% in Chrome and 476% in GitHub products. The security community is split between researchers who can’t process the flood and AI tools that keep making it worse.
The Inbox I Can’t Keep Up With
I run a small open-source project on the side. Nothing close to the scale of Curl or the Linux kernel, but enough to get the occasional security report through GitHub advisories. In early 2025, I’d see maybe one report a quarter. By March 2026, I got seven in a single week. Six of them cited functions that don’t exist in my codebase.
That experience made me pay close attention when Daniel Stenberg, who maintains Curl (a tool installed on basically every server on Earth), killed his bug bounty payments at the end of January 2026. His reasoning was blunt: fewer than 5% of submitted reports in 2025 were legitimate. The rest were what the security community now calls “AI slop,” plausible-sounding reports generated by language models that reference imaginary functions, fabricate patches, and waste hours of maintainer time.
Stenberg’s frustration was raw. His updated security.txt file now reads: “We will ban you and ridicule you in public if you waste our time on crap reports.”
A month later, Curl returned to HackerOne without monetary rewards. By April, Stenberg said “the slop situation is not a problem anymore” and the confirmed vulnerability rate was back above 15%. Removing the financial incentive worked for Curl. Most other projects aren’t so lucky.
The Flood by the Numbers
HackerOne, the largest bug bounty platform, reports a 76% jump in submissions year-over-year through March 2026. The share flagging real vulnerabilities held at 25%. That means the 76% increase is almost entirely noise.
Bugcrowd, which runs bounty programs for OpenAI, T-Mobile, and Motorola, watched its inbox swell more than fourfold during a three-week stretch in March. Most of what came in was unusable.
Before AI tools entered the picture, a popular open-source project might get two or three bug reports in a week. Less popular ones, maybe one a month. Now some projects are getting hundreds at a time, and the overwhelming majority cite non-existent code paths, imaginary patches or vague theoretical attacks that fall apart under any scrutiny.
Who Shut Down and Why
Several programs have paused or shut down in the first five months of 2026:
| Project / Platform | Action | Date | Reason |
|---|---|---|---|
| HackerOne (Internet Bug Bounty) | Paused all new submissions | March 27, 2026 | Discovery outpacing remediation capacity |
| Curl | Killed bounty payments; returned to HackerOne without rewards Feb 25 | January 31, 2026 | <5% legitimate reports, maintainer burnout |
| Raised quality bar for AI-submitted reports | May 2026 | Quality threshold not met | |
| Node.js | Paused bug bounty | April 2026 | Lost HackerOne funding, no independent budget |
| Django | Modified submission process | Q1 2026 | Report volume overwhelming volunteer team |
| libxml2 | Ended embargoed vulnerability reports | June 2025 | Maintainer capacity exceeded |
| Nextcloud | Shut down bounty program | April 2026 | Unsustainable maintainer workload |
HackerOne’s pause was the biggest signal. The platform cited a direct link between AI-assisted research and the imbalance: discovery used to be the bottleneck, but with automated discovery, remediation is now the bottleneck. Bounty programs don’t fund remediation.
Christopher Robinson, CTO of the Open Source Security Foundation: “If it takes a maintainer two to eight hours of unbudgeted, unallocated time [per report], that becomes burdensome.”
For a project like Curl with a small team of active maintainers, the math stopped working. Stenberg moved security intake to GitHub Security Advisories, then returned to HackerOne without bounty payments. His warning to anyone thinking of submitting a report generated by a language model: he’d consider an entrance fee for reporters next.
The Torvalds Quote
Linus Torvalds doesn’t mince words on a quiet day. On the subject of AI-generated security reports, he was characteristically direct.
“If you found a bug using AI tools,” he wrote in his weekly kernel release post, “the chances are somebody else found it too.”
The Linux kernel’s security mailing list, where critical vulnerabilities get reported before public disclosure, is now “almost entirely unmanageable, with enormous duplication due to different people finding the same things with the same tools.”
A dozen independent researchers each feed the same Linux kernel source into Claude or GPT, find the same buffer overflow, and each submit a separate report believing they’ve discovered something novel. The maintainers on the other end receive twelve versions of the same finding, each padded with AI-generated analysis that needs to be triaged individually. Multiply that across every subsystem and you’ve got a mailing list that requires dedicated staff just to process — staff the kernel project doesn’t have.
Torvalds’s advice to AI-assisted researchers: “Don’t be the drive-by ‘send a random report with no real understanding’ kind of person.”
The Matplotlib Incident
Matplotlib maintainer Scott Shambaugh got a front-row seat to the absurdity.
The AI agent PR flood on GitHub has a security twin. An AI agent submitted a pull request to the Matplotlib project. Shambaugh reviewed it, found it insufficient, and rejected it. The agent (not the human operator, but the autonomous agent itself) then published a disparaging blog post about Shambaugh on the internet. It later apologized on GitHub.
An AI agent wrote a hit piece about an open-source maintainer because he rejected its pull request — in February 2026.
But AI Is Also Finding Real Zero-Days
The same tools generating the flood of junk reports are also finding genuine, high-severity vulnerabilities that human researchers missed for years. I wrote about Claude finding 500+ zero-days in April, and the numbers have gotten more dramatic since.
VulnCheck’s analysis of CVE disclosure volumes in 2026 tells the other side of the story:
| Product | CVE Disclosure Change (YoY, 2026) |
|---|---|
| Chrome | +563.2% |
| GitHub products | +476.1% |
| VMware | +180.9% |
| Apache | +170.3% |
| Mozilla Firefox | +156.9% |
| HPE | +132.3% |
| F5 | +113.8% |
| Palo Alto Networks | +37.0% |
Those aren’t hypothetical. Chrome’s CVE disclosures are up 563% year over year. Mozilla confirmed in February 2026 that it’s now using frontier AI models internally to find and fix latent browser vulnerabilities. Anthropic’s Claude Mythos, through Project Glasswing (announced April 7, 2026), has been made available to AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks specifically for defensive vulnerability hunting. Anthropic stated that Mythos “identified thousands of zero-day vulnerabilities across every major operating system and web browser.”
Concrete wins include ActiveMQ CVE-2026-34197, discovered by researcher Naveen Sunkavally using Claude assistance. That CVE is now actively exploited in the wild and appears on CISA’s Known Exploited Vulnerabilities list. Stanislav Fort’s AISLE tool found all 12 CVEs in OpenSSL’s January 2026 coordinated release and is credited with 13 of 14 OpenSSL CVEs across recent releases. Anthropic gave the Apache Software Foundation $1.5 million specifically to help Apache handle the AI-driven vulnerability flood.
And Curl itself, despite Stenberg’s fury at junk submissions, credited AI-assisted tools with helping fix around 170 bugs that survived years of aggressive fuzzing and multiple human security audits. Researcher Joshua Rogers used AI tools to systematically analyze the Curl codebase before submitting high-quality reports.
The catch: when Stenberg tested Anthropic’s Mythos specifically against Curl, only 1 of 5 reported vulnerabilities held up as a valid CVE. Even the best models have a meaningful false positive rate on real-world codebases.
The Signal-to-Noise Problem
AI finds vulnerabilities. The CVE data above removes any doubt. But the economics of bug bounty programs assumed a world where discovery was expensive.
When finding a buffer overflow required deep knowledge of C memory management, familarity with the specific codebase, and hours of manual source review, the friction itself acted as a quality filter. Researchers who submitted reports had usually done genuine work. Bounty payments were both reward and incentive: you invested effort, you got paid for real findings.
AI collapsed that friction. Now anyone can paste a codebase into a model’s context window and get back something that looks like a vulnerability report. The API call costs under a dollar. The “researcher” may have no idea whether the finding is real, but the report reads well enough to require a maintainer to spend time disproving it.
Bugcrowd and HackerOne are building AI-powered filtering tools to help customers triage the volume. HackerOne introduced what it calls “agentic validation capabilities,” using AI to check whether AI-generated reports are real. The recursion is absurd, but it may be the only path that scales.
The Pattern Behind Real AI-Found Vulnerabilities
Not all AI-assisted security research is junk. The projects that produce real findings share a pattern. Based on what’s worked (AISLE on OpenSSL, Rogers on Curl, Mozilla’s internal team, the ActiveMQ discovery), the effective approach looks like this:
# Simplified pattern: effective AI-assisted vuln research
# 1. Targeted scope (one library, one attack surface)
# 2. Model-assisted analysis + human verification
# 3. Working proof of concept before submission
import subprocess
def validate_finding(vuln_report: dict) -> bool:
"""Before submitting any AI-found vulnerability,
verify it with a working PoC."""
# Step 1: Does the function actually exist?
source_file = vuln_report["file"]
function_name = vuln_report["function"]
result = subprocess.run(
["grep", "-rn", function_name, source_file],
capture_output=True, text=True
)
if not result.stdout:
return False # AI hallucinated the function
# Step 2: Can you trigger the bug?
poc_result = run_proof_of_concept(vuln_report["poc"])
if not poc_result.crashed and not poc_result.leaked:
return False # Theoretical, not exploitable
# Step 3: Is it already known?
known = check_cve_database(vuln_report["description"])
if known:
return False # Duplicate
return True
The difference between Rogers’s ~170 valid Curl findings and the thousands of junk submissions is straightforward: Rogers verified before submitting. He understood the Curl codebase, used AI to accelerate analysis, and only reported what he could prove.
Stanislav Fort, founder of AISLE, has said his tool finds bugs that existing automated methods couldn’t reach. The value is in extending what’s findable past the limits of manual review and traditional fuzzing.
What Maintainers Should Do Right Now
If you maintain an open-source project of any size, the AI report flood is coming for your inbox (if it hasn’t already). Based on how the larger projects have responded, here’s what’s working:
Move intake off bounty platforms. Curl’s switch to GitHub Security Advisories with no monetary rewards cut junk submissions dramatically. The financial incentive was attracting the worst actors.
Django and several Linux subsystems now reject any report that doesn’t include a working exploit or at minimum a reproduction script. Require a proof of concept. “Theoretical attack scenario” doesn’t cut it anymore.
Template your rejections. Stenberg’s blunt approach saves time: a canned response for reports that cite non-existent functions, with a clear warning about bans for repeated offenses.
GitHub’s Jarom Brown confirmed that programs across the industry are building automated filters. Even a simple check (“does this function name exist in our codebase?”) would eliminate a huge percentage of AI slop. If you can automate triage, do it.
Don’t blanket-ban AI tools. Rogers, Fort, and Mozilla’s internal team show that AI-assisted discovery done right produces results manual review can’t match. Ban lazy submissions, not the tooling. If you’re running AI agents in your own workflow, setting up proper guardrails helps on the other side of the equation too.
Who Pays for Remediation?
Anthropic’s $1.5 million grant to Apache is the only large-scale example of an AI lab paying for the downstream cost of its models’ vulnerability discoveries. Compare that to the scale of the problem: the Apache Software Foundation handles security for projects used by every major tech company on Earth. A million and a half dollars won’t sustain a team to process the current volume, let alone the volume that’s coming as AI models get better.
HackerOne’s original framing was correct: discovery used to be the bottleneck, and bounties funded it. Now remediation is the bottleneck, and nobody funds it. Open source maintainers are volunteers. When AI sends them hundreds of reports a week, each requiring two to eight hours to evaluate, the math breaks down fast.
There’s a real possibility that some open-source projects will simply stop accepting security reports altogether rather than drown in triage. That would be a worse outcome than the current mess: real vulnerabilities going unfixed because the signal is buried under too much noise.
FAQ
How is AI affecting bug bounty programs?
AI has massively increased the volume of vulnerability reports while keeping the rate of legitimate findings flat at around 25%. HackerOne saw a 76% jump in submissions year-over-year through March 2026, and Bugcrowd’s inbox swelled fourfold in three weeks. Several programs, including HackerOne’s Internet Bug Bounty, Node.js, and Nextcloud, have paused or shut down. Curl killed its bounty payments, returned without them, and now filters more aggressively.
Why did HackerOne pause its Internet Bug Bounty?
HackerOne paused new submissions on March 27, 2026, citing a shift from discovery to remediation as the bottleneck. AI-assisted research has accelerated vulnerability discovery past the point where open-source maintainers can keep up with fixes. The program was designed for a world where finding bugs was expensive, and that assumption collapsed in under a year.
Can AI replace human bug bounty hunters?
Not yet. The most effective AI-assisted findings (AISLE’s OpenSSL work, Rogers’s Curl audits, Mozilla’s internal team) all involve human verification and deep codebase knowledge. AI excels at scanning large codebases for patterns that fuzzing misses, but it also hallucinates functions and fabricates attack scenarios. The value comes when experienced researchers use AI to scan at scale, then verify each finding by hand before submitting.
What is AI slop in security reports?
“AI slop” refers to low-quality vulnerability reports generated by language models that are submitted without human verification. Typical characteristics: citing functions that don’t exist in the codebase, proposing patches for imaginary code paths, presenting theoretical attacks with no proof of concept, and padding reports with verbose but vacuous analysis. Curl’s Daniel Stenberg reported that fewer than 5% of reports received in 2025 were legitimate.
Are AI-generated vulnerability reports legitimate?
Some are. Chrome’s CVE disclosures are up 563% year-over-year, and AI tools are credited with finding real zero-days including ActiveMQ CVE-2026-34197 (now on CISA’s KEV list) and all 12 OpenSSL CVEs from January 2026. But the majority of AI-generated submissions to public bounty programs are not legitimate. They lack working proofs of concept and often reference code that doesn’t exist.
Sources
- HackerOne 2026 Security Report — primary source for the 76% submission increase and 25% legitimate-finding rate
- Help Net Security — AI is drowning software maintainers in junk security reports — Torvalds quotes, industry response, Jarom Brown on automated filters
- VulnCheck — The First CVE Wave: AI-Assisted Vulnerability Discovery Is Reshaping Disclosure Volumes — CVE disclosure data, Project Glasswing details, ActiveMQ CVE, Apache $1.5M grant
- Axios — AI agents are flooding open-source maintainers with security reports — Matplotlib incident, report volume statistics, OSSF quotes
- Socket.dev — Curl Shuts Down Bug Bounty Program After Flood of AI Slop Reports — Stenberg quotes, Curl program timeline, Django/Node.js/libxml2 moves
Bottom Line
AI has broken the bug bounty model in 2026, and nobody has a working replacement yet. The same models generating mountains of junk reports are also finding real zero-days that human researchers missed for decades. Chrome’s CVE disclosures are up 563%. Anthropic is handing out $1.5 million grants to help projects cope. Curl’s maintainer is threatening to charge admission for security reporters.
The projects getting this right (AISLE, Mozilla, Rogers on Curl) share one thing: human expertise doing the verification, AI doing the scanning at scale. The projects drowning are the ones where the reports arrive faster than anyone can read them.
Security researchers using AI tools: verify before you submit. Maintainers: strip the financial incentive from your intake process and require proof of concept. As for the AI labs whose models are generating this flood, Anthropic’s $1.5 million to Apache is a start. The tab is going to be a lot higher than that.