AI Slop Floods Bug Bounty Programs as Companies Struggle with Fake Reports

Bug bounty programs, which pay researchers to find software flaws, are being overwhelmed by a flood of AI-generated fake reports. Cybersecurity firm Bugcrowd says submissions more than quadrupled in March, with most being false. HackerOne and cloud platform Nextcloud have both suspended their bounty programs, citing an inability to filter out low-quality reports.

Companies like Meta, Microsoft, Apple, and Crypto.com paid out at least $58 million in bounties in 2025. Now, generative AI tools are making it easy to submit inaccurate reports at scale, forcing security teams to spend more time sorting spam from real vulnerabilities.

"Bug bounties are going to stay, but they're going to have to change," said Ross McKerchar, CISOr at Sophos. Some firms are exploring AI-driven filtering or restricting access to verified researchers.

Meanwhile, Anthropic's new cyber-focused AI model, Claude Mythos, demonstrated real capability in testing, finding 271 vulnerabilities in Firefox and helping develop an exploit for Apple's M5 chips. The model is not yet publicly available, with prediction markets giving it only 18% odds of release by end of June.