AI Slop Floods Bug Bounty Packages as Corporations Wrestle with Pretend Studies – Decrypt

Synthetic intelligence is creating a brand new headache for firms that depend on bug bounty applications to uncover software program vulnerabilities.

Cybersecurity companies and open-source software program initiatives are coping with a surge of AI-generated bug experiences, lots of that are false or deceptive. That is per a report from Monetary Occasions, which says that the rising variety of low-quality submissions is forcing some organizations to pause bug bounty applications as safety groups spend extra time sorting actual vulnerabilities from spam.

Bug bounties have additionally turn out to be huge enterprise, with firms together with Meta, Microsoft, Apple, and Crypto.com collectively paying a minimum of $58 million in 2025 to researchers who discover software program flaws earlier than hackers do.

Nevertheless, generative AI instruments are additionally making it simpler to take advantage of bug bounty applications by producing giant volumes of inaccurate or low-quality vulnerability experiences at scale.

In accordance with San Francisco-based Bugcrowd, experiences submitted by way of its platform greater than quadrupled throughout three weeks in March. The corporate, whose purchasers embrace ChatGPT developer OpenAI, mentioned many of the experiences have been pretend.

Due to the flood of AI-generated experiences, some firms have already begun rolling again their public bounty applications.

“Bug bounties are going to remain [but] they’re going to have to alter,” Ross McKerchar, chief data safety officer at cybersecurity firm Sophos, instructed the Monetary Occasions.

In April, cybersecurity platform HackerOne and internet hosting platform Nextcloud each suspended their paid bounty program, with Nextcloud including that “no monetary rewards will likely be awarded for any submissions, no matter severity.”

“As you might be doubtless conscious, that is an industry-wide problem and like others, now we have been unable to seek out methods to responsibly deal with the huge enhance of low high quality experiences,” Nextcloud wrote. “We hope to have the ability to restart this system as soon as a dependable method to filtering out the low-effort experiences has been discovered.”

The bug bounty information comes as AI fashions have gotten more and more higher at discovering vulnerabilities. In March, Anthropic launched Mythos, a cyber-focused AI mannequin that the corporate says can determine vulnerabilities quicker than people. The corporate is presently preserving the mannequin underneath wraps, solely permitting entry to the likes of tech giants, safety companies, and governments.

In April, Claude Mythos recognized 271 vulnerabilities in Mozilla Firefox throughout inside testing, whereas earlier this month, safety researchers mentioned a preview model of the mannequin helped develop an exploit focusing on Apple’s M5 chips.

Customers on Myriad—a prediction market platform operated by Decrypt‘s mum or dad firm, Dastan—do not consider that Claude Mythos will likely be launched publicly by the tip of June, presently penciling in simply 18% odds.