AI-Generated Bug Reports Overwhelm Security Bounty Programs
▼ Summary
– AI slop, or low-quality LLM-generated content, has proliferated online, affecting websites, social media, and even cybersecurity with fake bug reports.
– Cybersecurity experts report AI-generated bug bounty submissions that appear legitimate but contain hallucinated vulnerabilities, wasting time and resources.
– Major bug bounty platforms like HackerOne and Bugcrowd are seeing increased AI-generated reports, leading to false positives and spam-like submissions.
– Some companies, like Mozilla, report no significant rise in AI-generated bug reports, while others, such as Meta and Microsoft, declined to comment.
– Solutions being explored include AI-powered triage systems, like HackerOne’s Hai Triage, to filter out low-quality submissions while maintaining human oversight.
The cybersecurity industry faces a growing challenge as AI-generated bug reports flood bounty programs with fabricated vulnerabilities. Security teams now spend valuable time sifting through convincing but entirely fictional reports created by large language models (LLMs), wasting resources and delaying genuine threat detection.
Vlad Ionescu, CTO of RunSybil, describes how these AI-generated reports appear technically sound at first glance, only to reveal themselves as hallucinations upon closer inspection. “People receive polished write-ups that seem legitimate, but the vulnerabilities simply don’t exist,” he explains. The issue stems from LLMs being designed to produce helpful responses, when prompted for a report, they generate one, regardless of accuracy.
This phenomenon isn’t isolated. Security researcher Harry Sintonen recently exposed a fake report submitted to the open-source project Curl, which was quickly identified as AI-generated. Similarly, Open Collective’s Benjamin Piouffle reported inboxes “flooded with AI garbage,” while one developer abandoned their bug bounty program entirely after receiving mostly fabricated submissions.
Major bug bounty platforms like HackerOne and Bugcrowd confirm the trend, noting a rise in false positives, reports that look credible but lack real-world impact. Michiel Prins of HackerOne warns that these submissions create noise, undermining program efficiency. Meanwhile, Bugcrowd reports a weekly increase of 500 submissions, many assisted by AI, though founder Casey Ellis notes most still pass quality checks, for now.
Not all companies are equally affected. Mozilla, for instance, maintains a steady rejection rate for Firefox bug reports, with no significant AI-generated influx. However, tech giants like Google, Meta, and Microsoft declined to comment on whether they’re experiencing similar issues.
To combat the problem, some platforms are turning to AI-powered triaging systems. HackerOne recently launched Hai Triage, which uses AI agents to flag duplicates and prioritize legitimate threats before human analysts step in. As both hackers and defenders increasingly rely on AI, the cybersecurity landscape faces a new arms race, one where distinguishing real threats from algorithmic fiction becomes the ultimate challenge.
(Source: TechCrunch)
