Bug bounty programs overwhelmed by AI-generated false reports

Bug bounty initiatives, which compensate hackers for identifying software flaws, are currently overwhelmed by subpar reports generated by AI, prompting some firms to halt their programs. Bugcrowd, serving clients like OpenAI, T-Mobile, and Motorola, noted a fourfold surge in submissions within three weeks in March, most of which were inaccurate. In January, Curl, a data transfer application, paused its paid bug bounty scheme, citing an "explosion in AI slop reports." Experts in cybersecurity observe that generative AI is altering the dynamics of bug bounties: it accelerates flaw detection for seasoned researchers but also invites a flood of automated or incorrect entries. Ross McKerchar, Sophos's chief information security officer, remarked that the rise in low-quality AI reports is "quickly becoming a major problem," necessitating evolution in bug bounty programs. Since the early 2000s, bug bounties have expanded, with substantial payouts for significant findings. In 2024, Google's program disbursed $17 million, a rise from $7.5 million in 2021, and awarded its highest single payment of $605,000 in 2022 for an Android vulnerability. McKerchar noted that the influx of poor-quality submissions stems from both novices and seasoned researchers occasionally misled by AI tools.