AI-powered vulnerability discovery is flooding bug bounty programs and forcing companies to overhaul reward structures

Agentic AI models are becoming adept at autonomously identifying software vulnerabilities and developing exploits for them, causing vulnerability disclosure programs to be flooded with submissions. One independent security researcher reported submitting three times more bugs than the previous year and estimated Google may spend two to 10 times as much on bug payouts.

The 90-day responsible disclosure window—the standard time window between finding bugs and disclosing them publicly—was built for a world where bug finders were rare and exploit development was slow, but AI has compressed both timelines. Google researchers observed criminal threat actors using AI tools to exploit a previously unknown vulnerability to bypass two-factor authentication on an open source system administration platform.

Some projects have suspended bug bounty programs due to AI-generated low-quality submissions: Curl ended its HackerOne program in January after being inundated, and Linus Torvalds stated the Linux security mailing list became 'almost entirely unmanageable' from high volume and duplicate AI bug reports. Google overhauled its Vulnerability Reward Programs for Chrome and Android in April, lowering payouts for some bug classes while increasing others.