Brief IA

HackerOne and Google Curb AI: Saturated Bug Bounties

🤖 Models & LLM·Tom Levy·

HackerOne and Google Curb AI: Saturated Bug Bounties

HackerOne and Google Curb AI: Saturated Bug Bounties
Key Takeaways
1HackerOne suspends its bug bounty payments, overwhelmed by AI-generated reports, after distributing $1.5 million.
2Node.js continues to accept reports via HackerOne, but without offering rewards, illustrating the impact of AI on the industry.
3Google imposes stricter conditions for its Open Source Software VRP program, requiring proof of reproduction to filter out false reports.
💡Why it mattersAI threatens the economic viability of vulnerability hunters by increasing unnecessary reports, disrupting the balance of security programs.
Le brief IA que lisent les pros

Le brief IA que les pros lisent chaque soir

Les 7 actus IA du jour, décryptées en 5 min. Gratuit.

Inclus dès l'inscription : notre sélection des meilleurs guides & comparatifs IA.

Choisis ton rythme

Gratuit · Pas de spam · Désabonnement en 1 clic

📄
Full Analysis

The Impact of AI on Bug Bounty Programs

Bug bounty programs, essential for cybersecurity, are currently facing a crisis triggered by the extensive use of artificial intelligence. HackerOne, a major platform in this field, has recently decided to suspend payments for its historic program, active since 2012 and having distributed over $1.5 million. This decision is driven by an artificial saturation of reports, a direct consequence of AI usage.

The Internet Bug Bounty (IBB) has traditionally allocated 80% of its funds to discovering new vulnerabilities and 20% to fixing them. However, AI has significantly increased the number of submissions without improving their quality. HackerOne acknowledged that AI-assisted research has expanded vulnerability discovery across the entire ecosystem, thus disrupting the balance between reports and processing capacity.

Node.js and Google Respond

Node.js, one of the first projects affected, continues to accept reports via HackerOne but without offering financial rewards. This situation is not unique. In January, Daniel Stenberg, the creator of Curl, shut down his program after receiving twenty reports in three weeks, none of which described a real vulnerability. By 2025, only 5% of Curl submissions were exploitable, with each false report requiring between 30 minutes and 3 hours of validation by volunteers.

Google has also reacted by tightening the conditions of its Open Source Software VRP program. Now, the tech giant requires proof of reproduction via OSS-Fuzz or a merged patch to filter out the noise caused by irrelevant reports.

A Different European Approach

In Europe, the situation is somewhat different. YesWeHack, a French platform, has seen collaborations between bug hunters increase by 520% since 2022. Having become the preferred provider for the European Commission for open source bug bounties, YesWeHack adopts a hybrid model where AI assists in triaging, but hunters retain control over analysis. Institutions like France Identité and the French Army participate in these structured programs.

Additionally, the Linux Foundation has secured $12.5 million in funding from Google, Anthropic, AWS, Microsoft, and OpenAI. These funds are intended to develop AI tools for maintainers, not submitters, with the goal of automating report triage rather than discovery.

The real danger lies in the fact that AI could make the profession of bug hunter economically unsustainable by flooding security programs with unnecessary reports that no one can effectively filter.

Brief IA — L'actualité IA en français

L'essentiel de l'actualité de l'intelligence artificielle, décrypté et expliqué chaque jour.