Bug bounty businesses bombarded with AI slop

Companies running bug bounty programs, which reward hackers for finding software flaws, are facing a new challenge: a deluge of low-quality, AI-generated reports. This "AI slop" is overwhelming systems and forcing some businesses to suspend their programs. Curl and Nextcloud, for example, have both temporarily halted their bug bounties due to this issue. This trend makes it difficult to discern genuine vulnerabilities amidst the noise.

The rise of generative AI is changing the landscape of bug bounty programs. While AI tools can help experienced researchers find flaws more quickly, they also lower the barrier to entry for less skilled individuals. This results in a flood of automated or erroneous submissions that companies must sift through, consuming valuable resources. Experts note that this surge in poor-quality reports is "quickly becoming a major problem."

Not all AI-generated submissions are negative. Some companies are seeing a rise in higher-quality reports from hackers who are effectively using AI to identify more sophisticated flaws. This suggests that while AI can create "slop," it can also be a valuable tool for legitimate researchers, enhancing their ability to uncover critical vulnerabilities.

To combat the influx of low-quality reports, companies are implementing more stringent background checks for participants and developing their own AI agents to triage submissions. Platforms like HackerOne are introducing advanced validation capabilities to manage the high volume of findings, including those generated by AI models. These measures aim to restore the effectiveness of bug bounty programs in an era of increasingly accessible AI tools.