HackerOne and Google Curb AI: Saturated Bug Bounties

Le brief IA que les pros lisent chaque soir
Les 7 actus IA du jour, décryptées en 5 min. Gratuit.
Inclus dès l'inscription : notre sélection des meilleurs guides & comparatifs IA.
Choisis ton rythme
Gratuit · Pas de spam · Désabonnement en 1 clic
The Impact of AI on Bug Bounty Programs
Bug bounty programs, essential for cybersecurity, are currently facing a crisis triggered by the extensive use of artificial intelligence. HackerOne, a major platform in this field, has recently decided to suspend payments for its historic program, active since 2012 and having distributed over $1.5 million. This decision is driven by an artificial saturation of reports, a direct consequence of AI usage.
The Internet Bug Bounty (IBB) has traditionally allocated 80% of its funds to discovering new vulnerabilities and 20% to fixing them. However, AI has significantly increased the number of submissions without improving their quality. HackerOne acknowledged that AI-assisted research has expanded vulnerability discovery across the entire ecosystem, thus disrupting the balance between reports and processing capacity.
Node.js and Google Respond
Node.js, one of the first projects affected, continues to accept reports via HackerOne but without offering financial rewards. This situation is not unique. In January, Daniel Stenberg, the creator of Curl, shut down his program after receiving twenty reports in three weeks, none of which described a real vulnerability. By 2025, only 5% of Curl submissions were exploitable, with each false report requiring between 30 minutes and 3 hours of validation by volunteers.
Google has also reacted by tightening the conditions of its Open Source Software VRP program. Now, the tech giant requires proof of reproduction via OSS-Fuzz or a merged patch to filter out the noise caused by irrelevant reports.
A Different European Approach
In Europe, the situation is somewhat different. YesWeHack, a French platform, has seen collaborations between bug hunters increase by 520% since 2022. Having become the preferred provider for the European Commission for open source bug bounties, YesWeHack adopts a hybrid model where AI assists in triaging, but hunters retain control over analysis. Institutions like France Identité and the French Army participate in these structured programs.
Additionally, the Linux Foundation has secured $12.5 million in funding from Google, Anthropic, AWS, Microsoft, and OpenAI. These funds are intended to develop AI tools for maintainers, not submitters, with the goal of automating report triage rather than discovery.
The real danger lies in the fact that AI could make the profession of bug hunter economically unsustainable by flooding security programs with unnecessary reports that no one can effectively filter.
Brief IA — L'actualité IA en français
L'essentiel de l'actualité de l'intelligence artificielle, décrypté et expliqué chaque jour.