Artificial Intelligence Fuels Explosion in Bug Bounty Reports Alongside Growing 'Slop' Problem
According to HackerOne, among the world's leading bug bounty platforms, 2025 saw 85,000 legitimate bounty submissions—a 7% year-over-year increase.
Cryptocurrency protocols have issued warnings that the growing adoption of artificial intelligence has resulted in a deluge of fraudulent bug bounty submissions, creating significant pressure on development teams attempting to distinguish genuine security threats to their protocols from false reports.
The bug bounty system operates as a reward mechanism for ethical hackers who submit vulnerability reports about potential security weaknesses and has gained widespread popularity throughout the cryptocurrency sector. While artificial intelligence has simplified the process of analyzing extensive codebases to detect potential bugs, AI systems are also notorious for producing hallucinations and false positives.
"The landscape of bug bounty programs is being fundamentally transformed by AI," Barry Plunkett, co-CEO of Cosmos Labs, stated on Tuesday, in response to a bug bounty researcher who claimed the protocol had disregarded their vulnerability submission.
"We've experienced a staggering 900% surge in submission volume compared to last year, receiving approximately 20-50 submissions daily," he explained, noting that this dramatic increase has produced both a rise in legitimate reports and a corresponding increase in invalid submissions.
Kadan Stadelmann, who serves as a blockchain developer and chief technology officer at Komodo Platform, informed Cointelegraph that he has similarly observed a significant uptick in bug bounty submissions and corresponding payouts throughout various organizations.
"There has definitely been an increase in low-quality bug bounty submissions, some of which have been false positives, potentially suggesting AI sourcing. One potential explanation is that AI has caused a decrease in the cost to produce a report, resulting in an influx of submissions."
Last January, Daniel Stenberg, who developed the open-source data transfer tool curl—a utility employed in numerous applications, including blockchain infrastructure—made the announcement that he would be terminating his bug bounty program due to being overwhelmed by "AI slop in vulnerability reports," stating that he was depleted from the effort required to filter through them.
HackerOne, recognized as one of the world's most prominent bug bounty platforms, disclosed in January that 2025 witnessed 85,000 valid bounty submissions, representing a 7% increase compared to the prior year.
AI could be both the cause and the solution
According to Plunkett, Cosmos Labs has already begun modifying its methodology in response to the surge in bug bounty submissions by implementing stricter scoring criteria for submissions, giving preference to established researchers who have demonstrated a solid track record, and collaborating with alternative bug bounty service providers that deliver more sophisticated triage capabilities.
In the meantime, Stadelmann emphasized that bug bounty programs have demonstrated their essential role in safeguarding decentralized systems, and suggested that implementing AI technology to help filter through the overwhelming volume of submissions could serve as an effective solution.
"Blockchain development teams will need to implement AI-based deterrents to process incoming bug bounty submissions. The challenge will become increasingly severe for smaller teams. Software engineers simply won't possess the bandwidth to review everything manually," he explained.
"This is where defensive AI systems to automatically sift through incoming bug bounties will be crucial. Teams dependent on bug bounties will need to develop stricter standards on their bug bounty programs as a means of lowering the number of incoming reports."