AI Slop Forces Bug Bounty Suspensions as Bugcrowd Reports 4-Fold Submission Surge
Updated
Updated · Financial Times · May 17
AI Slop Forces Bug Bounty Suspensions as Bugcrowd Reports 4-Fold Submission Surge
2 articles · Updated · Financial Times · May 17
Curl in January and Nextcloud in April suspended paid bug bounty programs after a sharp rise in AI-generated, low-quality vulnerability reports swamped reviewers.
Bugcrowd said submissions more than quadrupled over a three-week stretch in March, with most reports false, showing how generative AI is flooding programs with automated or erroneous claims.
HackerOne reported a 76% jump in submissions in the year to March, though 25% still flagged legitimate vulnerabilities, suggesting AI is also helping some researchers find real flaws faster.
Companies are tightening background checks and deploying AI triage tools as six-figure bug rewards remain attractive—Google paid out $17 million last year, up from $7.5 million in 2021.
AI has made bug reports nearly free. Must companies now only pay for verified fixes, not just potential finds?
Will AI's rise make human hackers obsolete, or will they become elite wranglers for the most complex digital threats?
2026’s AI Slop Crisis: Bug Bounty Programs Struggle as AI-Generated Vulnerability Reports Surge
Overview
In early 2026, bug bounty programs and open-source projects faced a crisis as they were flooded with 'AI slop'—AI-generated vulnerability reports that are often low-quality, spammy, or hallucinated by large language models. These reports look convincing at first, forcing human security teams to spend valuable time reviewing and discarding them. This overwhelming stream strains resources, distracts from real threats, and leads to burnout among maintainers. As a result, organizations are adapting by tightening submission rules and developing new tools to filter out AI-generated noise, highlighting the urgent need for better management of AI in cybersecurity.