AI Slop Overwhelms Bug Bounty Programs
▼ Summary
– AI-generated low-quality reports are overwhelming bug bounty programs, leading some companies to suspend them.
– Bugcrowd reported a fourfold increase in submissions in March 2024, with most being false.
– Curl suspended its paid bug bounty program in January due to an “explosion in AI slop reports.”
– Generative AI lowers the barrier to entry for bug hunters, causing a flood of automated or erroneous submissions.
– Experts say bug bounties will need to adapt as poor-quality AI reports become a major problem.
Businesses that rely on independent security researchers to uncover software vulnerabilities are facing a new and growing challenge: a surge in low-quality reports generated by artificial intelligence. This flood of AI-produced submissions has become so severe that some organizations have been forced to pause their bug bounty programs entirely.
Bug bounty programs, which reward hackers for discovering security flaws, have long been a cornerstone of corporate cybersecurity strategies. However, the rapid adoption of generative AI tools is now overwhelming these systems with spurious findings. Bugcrowd, a platform that manages bug bounties for clients including OpenAI, T-Mobile, and Motorola, reported that incoming submissions more than quadrupled during a three-week stretch in March. The vast majority of these reports were false.
The impact was stark enough that Curl, a widely used internet data transfer tool, suspended its paid bug bounty program in January. The company cited an “explosion in AI slop reports” and a noticeable decline in the overall quality of submissions as the driving factors behind the decision.
Cybersecurity experts warn that generative AI is fundamentally reshaping the economic model of bug bounty programs. On one hand, these tools empower experienced researchers to identify flaws more efficiently. On the other, they dramatically lower the barrier to entry, enabling a torrent of automated or erroneous reports that companies must painstakingly review.
Ross McKerchar, chief information security officer at cybersecurity firm Sophos, described the surge in low-quality AI reports as “quickly becoming a major problem.” He added, “Bug bounties are going to stay, but they’re going to have to change.”
Bug bounty programs have gained significant traction since the early 2000s, with top-tier discoveries sometimes earning six-figure payouts. Google’s program, for instance, distributed a total of $17 million last year, a sharp increase from $7.5 million in 2021. In 2022, the company awarded its largest single reward of $605,000 to a researcher who uncovered a vulnerability in its Android mobile operating system.
McKerchar noted that the rise in poor-quality submissions stems from two sources: newcomers attempting to find bugs for the first time, and existing researchers who are “sometimes getting led on by the AI agents.”
(Source: Ars Technica)
