For years, the world's largest tech companies have relied on a simple yet highly effective security strategy: paying friendly, independent hackers millions of dollars to identify and report software flaws before cybercriminals can exploit them. However, as artificial intelligence grows more sophisticated, this entire ecosystem now faces a massive crisis. According to a recent report, generative AI tools are inundating these bug bounty programs with a relentless wave of automated, low-quality, and entirely fake reports, compelling some organizations to suspend their payout programs.
Why Cybersecurity Companies Are Frustrated
Cybersecurity firms are witnessing a surge in traffic due to a sharp increase in submissions. The core issue is not the volume but the quality of AI-generated reports, as reported by The Financial Times. Bugcrowd, a major platform serving clients like OpenAI, T-Mobile, and Motorola, reported that bug submissions more than quadrupled over a three-week period in March, but the vast majority were completely false. Similarly, rival platform HackerOne, which works with Google and the US Department of Defense, saw submissions jump by 76% in the year leading up to March. Experts cited in the report identify three distinct groups driving this surge. The first group comprises amateurs using AI chatbots to fabricate reports of non-existent flaws. The second group consists of misled professionals who trust flawed data provided by AI assistants. The third group includes automated spammers who have developed end-to-end scanning systems that mass-produce and submit fake bug reports.
Why This Is Becoming a Problem for Tech Professionals
The flood of fake AI-generated reports is forcing tech teams to spend hours debunking hallucinated computer code. Daniel Stenberg, the creator of Curl—a critical data-transfer tool used across the internet—announced the suspension of his company's paid bug bounty program. In a blog post, Stenberg stated that managing the never-ending slop had taken a serious mental toll and wasted valuable development time. Software provider Nextcloud followed suit, halting its own bounty program after a massive increase in low-quality reports.
The timing is critical due to Anthropic's Mythos. Bug bounties have evolved into a massive industry; Google alone handed out $17 million in bounties, with its highest single payout reaching $605,000 for an Android operating system vulnerability. The incentive to automate the process has skyrocketed with the launch of Anthropic's Mythos. To survive this crisis, the cybersecurity industry is turning to tighter background checks and building its own defensive AI models to act as digital gatekeepers.
About the Author: TOI Tech Desk is a dedicated team of journalists committed to delivering the latest and most relevant news from the world of technology to readers of The Times of India. Their coverage spans gadget launches, reviews, trends, in-depth analysis, exclusive reports, and breaking stories that impact technology and the digital universe.
