Bug bounty programs are drowning in a flood of AI-generated “slop” reports, overwhelming security teams and forcing companies to retool their submission processes.
Curl creator Daniel Stenberg said the “never-ending slop” has taken “a serious mental toll,” while software group Nextcloud suspended its bug bounty program in April, citing a “massive increase of low-quality reports.”
HackerOne-which runs bug-reporting platforms for Goldman Sachs, Google, and the U.S. Department of Defense-reported a 76% jump in submissions year-over-year as of March. However, the share of reports confirming actual vulnerabilities remained flat at 25%.
In response, HackerOne has introduced “agentic validation capabilities” to help organizations manage high volumes of findings, including those generated by AI models like Anthropic’s newly launched Mythos.
HackerOne CEO Kara Sprague noted a recent uptick in higher-quality AI-assisted reports, saying the rise in AI submissions is “not a strong reason to say we don’t want them” altogether-provided the filtering improves.
Bugcrowd CEO Dave Gerry echoed that sentiment: “AI is going to help with a lot of things, but we’re never going to replace that human creativity.”
Firms are now building their own AI triage agents and introducing stricter background checks to separate signal from noise.