Bug bounty businesses bombarded with AI slop

He added there was a “third cohort” of “experienced AI builders” who had developed automated “end-to-end scanning and submission systems” that were “creating absolute carnage.” Curl’s creator, Daniel Stenberg, wrote in a blog post that the “never-ending slop” had taken “a serious mental toll to manage and sometimes also a long time to debunk.” Software group Nextcloud suspended its bug bounty program in April because of the “massive increase of low-quality reports.” It said it hoped to resume th

HackerOne, whose bug-reporting platform serves Goldman Sachs, Google, and the US Department of Defense, said it had “introduced new agentic validation capabilities” this year to “help organizations manage high volumes of findings,” such as those generated by models like Mythos. The company said submissions had jumped 76 percent in the year to March. But it said the share of reports flagging legitimate vulnerabilities had remained steady over the past year at 25 percent. HackerOne chief executive Kara Sprague said it had in recent weeks seen a rise in “higher quality” reports that had used AI. She added that the rise in AI-generated submissions was “not a strong reason to say we don’t want them” altogether, given that hackers were using the technology to spot more flaws. Bugcrowd chief Dave Gerry said developments such as Anthropic’s Mythos would assist human bug bounty hunters, not replace them. “AI is going to help with a lot of things but we’re never going to replace that human creativity,” he said. © 2026 The Financial Times Ltd . Not to be redistributed, copied, or modified in any way.

Key points

• HackerOne, whose bug-reporting platform serves Goldman Sachs, Google, and the US Department of Defense, said it had “introduced new agentic validation capabilities” this year to “help organizations…
• The company said submissions had jumped 76 percent in the year to March.
• But it said the share of reports flagging legitimate vulnerabilities had remained steady over the past year at 25 percent.
• HackerOne chief executive Kara Sprague said it had in recent weeks seen a rise in “higher quality” reports that had used AI.
• She added that the rise in AI-generated submissions was “not a strong reason to say we don’t want them” altogether, given that hackers were using the technology to spot more flaws.