For several years, the world’s biggest tech companies have relied on a simple, highly effective security strategy: pay friendly, independent hackers millions of dollars to find and report flaws in their software before cybercriminals can exploit them. As AI becomes sophisticated, that entire ecosystem is facing a massive crisis. According to a report, Generative AI tools are flooding these “bug bounty” programs with a relentless wave of automated, low-quality, and completely fake reports – forcing some organisations to shut down their payout programs entirely.
Why cybersecurity companies are frustrated
Cybersecurity companies are witnessing surges in traffic due to increased number of submissions. The problem is not the number but the quality of the AI-generated reports, as per The Financial Times. Bugcrowd, a major platform whose clients include OpenAI, T-Mobile and Motorola, claimed that the number of bug submissions more than quadrupled over just a three-week period in March but a vast majority of them were completely false. Similarly, rival platform HackerOne, which serves Google and the US Department of Defense, saw submissions jump 76% in the year leading up to March.The report cites experts as saying that this surge is driven by three distinct groups. The first is amateurs using AI chatbots to write up reports for flaws that don’t actually exist. The second is group consists misled professionals who are trusting flawed data handed to them by AI assistants. Thirdly, there are automated spammers who have created automated, end-to-end scanning systems that mass-produce and submit fake bug reports.
Why this is becoming a problem for tech professionals
The flood of such fake “AI-generated report” is forcing tech groups to spend hours debunking hallucinated computer code. Daniel Stenberg, the creator of Curl, a critical data-transfer tool used across the internet, announced the suspension of his company’s paid bug bounty program. Stenberg wrote in a blog post that managing the “never-ending slop” had taken a “serious mental toll” and wasted valuable development time.Software provider Nextcloud followed suit, halting its own bounty program after a “massive increase of low-quality reports.”Meanwhile, the timing is critical due to Anthropic’s Mythos. Bug bounties have evolved into a massive industry with Google alone handing out $17 million in bounties – its highest single payout reaching $605,000 for an Android operating system vulnerability. This incentive to automate the process has skyrocketed with the launch of Anthropic’s MythosTo survive this, the cybersecurity industry is turning to tighter background checks and building its own defensive AI models to act as digital gatekeepers.
