AI Slop Floods Bug Bounty Programs as Companies Struggle with Fake Reports

Artificial intelligence is creating a new headache for companies that rely on bug bounty programs to uncover software vulnerabilities.

Cybersecurity firms and open-source software projects are dealing with a surge of AI-generated bug reports, many of which are false or misleading. That’s per a report from Financial Times, which says that the growing number of low-quality submissions is forcing some organizations to pause bug bounty programs as security teams spend more time sorting real vulnerabilities from spam.

Bug bounties have also become big business, with companies including Meta, Microsoft, Apple, and Crypto.com collectively paying at least $58 million in 2025 to researchers who find software flaws before hackers do.

However, generative AI tools are also making it easier to exploit bug bounty programs by producing large volumes of inaccurate or low-quality vulnerability reports at scale.

According to San Francisco-based Bugcrowd, reports submitted through its platform more than quadrupled during three weeks in March. The company, whose clients include ChatGPT developer OpenAI, said most of the reports were fake.

Because of the flood of AI-generated reports, some companies have already begun rolling back their public bounty programs.

“Bug bounties are going to stay [but] they’re going to have to change,” Ross McKerchar, chief information security officer at cybersecurity company Sophos, told the Financial Times.

In April, cybersecurity platform HackerOne and hosting platform Nextcloud both suspended their paid bounty program, with Nextcloud adding that “no financial rewards will be awarded for any submissions, regardless of severity.”

“As you are likely aware, this is an industry-wide challenge and like others, we have been unable to find ways to responsibly handle the massive increase of low quality reports,” Nextcloud wrote. “We hope to be able to restart the program once a reliable approach to filtering out the low-effort reports has been found.”

The bug bounty news comes as AI models are becoming increasingly better at finding vulnerabilities. In March, Anthropic introduced Mythos, a cyber-focused AI model that the company says can identify vulnerabilities faster than humans. The company is currently keeping the model under wraps, only allowing access to the likes of tech giants, security firms, and governments.

In April, Claude Mythos identified 271 vulnerabilities in Mozilla Firefox during internal testing, while earlier this month, security researchers said a preview version of the model helped develop an exploit targeting Apple’s M5 chips.

Users on Myriad—a prediction market platform operated by Decrypt‘s parent company, Dastan—don’t believe that Claude Mythos will be released publicly by the end of June, currently penciling in just 18% odds.