Bug bounty businesses bombarded with AI slop

Source: Ars Technica

AI‑generated bug bounty reports cause chaos

He added there was a “third cohort” of “experienced AI builders” who had developed automated “end‑to‑end scanning and submission systems” that were “creating absolute carnage.”

“The never‑ending slop has taken a serious mental toll to manage and sometimes also a long time to debunk.” – Daniel Stenberg, creator of cURL, in a blog post.

Software group Nextcloud suspended its bug bounty program in April because of a “massive increase of low‑quality reports.” The company hopes to resume the program once it has found an effective way to filter submissions.

The surge in AI‑generated reports comes as Anthropic last month launched Mythos, its new cyber‑AI model, which it says can find software flaws faster than humans.

Industry responses

• Companies running bug bounty programs have started to introduce more stringent background checks and are building AI agents to triage submissions.
• HackerOne, whose platform serves Goldman Sachs, Google, and the U.S. Department of Defense, introduced “new agentic validation capabilities” this year to help organizations manage high volumes of findings generated by models like Mythos. Submissions jumped 76 % in the year to March, but the share of reports flagging legitimate vulnerabilities remained steady at 25 % over the past year.
• HackerOne CEO Kara Sprague noted a recent rise in “higher quality” reports that used AI, adding that the increase in AI‑generated submissions “is not a strong reason to say we don’t want them” altogether, given that hackers are using the technology to spot more flaws.
• Bugcrowd chief Dave Gerry said developments such as Anthropic’s Mythos would assist human bug bounty hunters, not replace them: “AI is going to help with a lot of things but we’re never going to replace that human creativity.”