AI is breaking bug bounty programs by finding vulnerabilities faster than humans can fix them

Published: 8 April 2026
Last updated: 9 April 2026
anthropic-claude-security
Image by Cybernews.

Bug bounty programs that have kept the internet secure for over a decade are buckling under the weight of AI-generated vulnerability reports. HackerOne has paused its Internet Bug Bounty program, Google is rejecting AI-assisted submissions, and the Linux Foundation just secured $12.5 million in emergency funding as AI tools find security flaws faster than human maintainers can fix them.

Key takeaways:
  • HackerOne's Internet Bug Bounty program has paused new submissions because AI is finding vulnerabilities faster than maintainers can fix them.
  • Anthropic's Claude found 22 Firefox vulnerabilities in just two weeks, including 14 high-severity flaws that human fuzzers missed.
  • The bug bounty funding model is breaking. There's not enough money to pay for the flood of AI-discovered vulnerabilities or enough people to fix them.

Software vulnerabilities exist by the bucketload, as anyone who maintains an open-source project knows well.

ADVERTISEMENT

Critical flaws have historically sat unnoticed in software held together by small teams, volunteers, or maintainers working in their spare time – until they’re discovered. At which point, crisis ensues. From Heartbleed to XZUtils, there’s historically been a feast-or-famine approach to things.

To try to smooth out the uncertainty, bug bounty programs have long existed – to encourage people to identify issues before they’re exploited by hackers. But that was a pre-AI era, and AI models’ capabilities at finding faults mean those bug bounty initiatives are coming under strain.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

The Internet Bug Bounty program has paused new submissions because HackerOne, which administers the scheme, said AI-assisted research is expanding vulnerability discovery across the ecosystem. Finding a balance between findings and remediation capacity has “substantively shifted,” they claimed.

The program has awarded more than $1.5 million since launching in 2012, but the model might have broken when an AI system can identify loads of issues in an instant.

There’s no money

HackerOne isn’t alone in realizing that people could soon be swamped by the overwhelming volume of errors to fix. In March, the Linux Foundation announced a $12.5 million security funding push, backed by Anthropic, AWS, GitHub, Google, Google DeepMind, Microsoft, and OpenAI.

Red glowing computer bug on infected chip
ADVERTISEMENT

That’s good news, but the reason it’s happening is less good. It was just the start of what will be needed in the future, because even that amount won’t be enough to tackle the influx of what’s about to come.

“Grant funding alone is not going to help solve the problem that AI tools are causing today on open-source security teams,” said Greg Kroah-Hartman of the Linux kernel project.

“OpenSSF has the active resources needed to support numerous projects that will help these overworked maintainers with the triage and processing of the increased AI-generated security reports they are currently receiving.”

Big tech holds back

It’s not just at the non-profit or smaller company end of the scale that AI is stretching bug bounty programs. Google has started tightening its open-source rewards process, saying it will no longer accept some AI-generated submissions because too many are low-quality.

Check if your data has been leaked

Find out if your email, phone number or related personal information might have fallen into the wrong hands.
18,611,353,922
Breached accounts
36,030
Breached websites

Google now wants stronger proof for some reports, such as an OSS-Fuzz reproduction or a merged patch. That’s to prevent hallucination, but increasingly modern models aren’t making stuff up – they’re just finding problems humans would take ages to solve.

Anthropic said Claude Opus 4.6 found 22 Firefox vulnerabilities in two weeks, including 14 that Mozilla classed as high severity.

Mozilla’s own write-up said all 22 CVEs were fixed in the latest browser version, and noted that the model also uncovered distinct classes of logic errors that fuzzers had not previously found. And that was before the release of Mythos, which Anthropic isn’t releasing widely because it can so quickly find exploits in pretty much all publicly available software.

Open source software – and the bug bounty programs that have kept holes largely patched – has long depended on an uneven labor model in which critical infrastructure is often maintained by surprisingly few people. But if AI dramatically increases the supply of findings and the amount that needs to be paid out, while the number of people able to assess and fix them barely changes, we risk entering a vicious cycle in which there’s not enough money to spend on people’s time to fix the problem.

The answer AI companies give is that their products can solve that, taking in those reports and fixing them. But if an AI is finding the issue, who should get paid? It’s a tricky question the cybersecurity world needs to address in order to keep bug bounty programs viable.

ADVERTISEMENT

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked