Bug bounty platforms battle rise in AI-slop reports

Fabricated reports flooding platforms at unprecedented scale

A surge in AI-generated "slop" is overwhelming corporate bug bounty programmes, forcing some companies to suspend their schemes.

Bug bounty programmes, which pay independent researchers to uncover software vulnerabilities, have expanded significantly since emerging in the early 2000s. Google said its programme paid out $17m in 2025, more than double the amount awarded four years earlier. The company's largest single payout reached $605,000 in 2022 after a researcher uncovered a major vulnerability affecting Android devices.

But firms say the rapid rise of generative AI tools is now flooding platforms with inaccurate or fabricated reports at an unprecedented scale.

Bugcrowd, a major bug bounty platform whose clients include OpenAI, Motorola, and T-Mobile, said the number of submissions it received more than quadrupled during a three-week period in March. However, most of the reports turned out to be false positives or low-quality AI-generated findings.

Curl, the widely used internet data transfer tool, suspended its paid bug bounty scheme in January after what its creator, Daniel Stenberg, described as an "explosion in AI slop reports". Mr Stenberg said the "never-ending slop" had become exhausting to manage, adding that many reports took significant time and effort to disprove.

Software company Nextcloud also paused its bug bounty programme in April, citing a "massive increase of low-quality reports". The company said it hoped to relaunch the initiative once better filtering systems had been developed.

AI lowers the barrier to entry

Advances in generative AI are fundamentally changing the economics of bug bounty hunting. Whilst experienced researchers can use AI tools to identify flaws more efficiently, the technology has also lowered the barrier to entry, allowing inexperienced users to mass-produce submissions with little technical understanding.

Ross McKerchar, CISO at Sophos, told the FT that the increase in poor-quality reports was "quickly becoming a major problem".

Mr McKerchar said the influx came not only from amateur hackers experimenting with AI for the first time, but also from seasoned researchers who were "sometimes getting led on by the agents".

A third group – experienced AI developers – has begun building fully automated scanning and submission systems that are "creating absolute carnage".

Cyber-focused AI models

The growing use of AI in cyber security comes as companies race to develop increasingly sophisticated offensive and defensive systems. Last month, Anthropic launched Mythos, a cyber-focused AI model designed to identify software vulnerabilities faster than human researchers.

The UK's AI Security Institute warned that Anthropic's system was capable of carrying out multi-step cyberattacks with minimal human guidance. In an assessment, the system autonomously completed a 32-step enterprise attack simulation from beginning to end in a controlled environment.

Stricter vetting procedures

Companies running bug bounty schemes are now introducing stricter vetting procedures and building AI-powered filtering tools to manage the volume of submissions.

HackerOne says it has introduced new "agentic validation capabilities" to help customers process high volumes of AI-generated findings. HackerOne CEO Kara Sprague said the company had recently seen a rise in "higher quality" AI-assisted submissions and warned against dismissing AI-generated reports outright.

Bugcrowd said it had updated its submission policies and detection systems in an attempt to prioritise verified findings while discouraging speculative automated spam. Its chief executive, Dave Gerry, said AI would ultimately support skilled human researchers.

"AI is going to help with a lot of things," he said, "but we're never going to replace that human creativity."