GitHub Replaces Cash Bug Bounties With Swag for Low-Impact Reports as AI Floods Submissions
Updated
Updated · InfoWorld · May 19
GitHub Replaces Cash Bug Bounties With Swag for Low-Impact Reports as AI Floods Submissions
3 articles · Updated · InfoWorld · May 19
GitHub will stop paying cash for low-impact bug bounty reports and offer swag instead, while telling researchers to stop filing low-quality or out-of-scope submissions.
The change follows a sharp rise in AI-assisted reports that lack proof of concept or real security impact, including cases where users chose to trust malicious repositories, files or code analysis prompts.
GitHub said AI itself is not banned, but every AI-generated submission must be reviewed and validated by a human before filing.
Across the industry, Curl has ended its bug bounty, HackerOne paused Internet Bug Bounty payouts, Google tightened open-source rewards, and Linus Torvalds said AI report duplication made Linux kernel triage nearly unmanageable.
Analysts said swapping cash for swag could deter newer researchers who rely on small payouts, even as lower queue noise may speed triage and rewards for experienced contributors.
By de-incentivizing smaller bug reports, is the tech industry accidentally closing the door on its next generation of cybersecurity talent?
As AI floods bug bounties, is swapping cash for swag the first step toward a new reputation-based reward system?