Nextcloud's AI breaking point: bug bounty dead after flood of worthless reports

Published: 23 April 2026
Last updated: 23 April 2026
Nextcloud broken glass
Broken glass with Nextcloud AI logo. Image by Cybernews.

Cloud service provider Nextcloud has ended its bug bounty program due to a large number of submitted reports that are generated entirely by AI.

“Like many other software projects, we have been receiving an increasing number of generic AI security reports via platforms such as HackerOne for some time now. This makes it difficult for us to identify high-quality reports. Our aim is to reduce the number of low-effort AI-generated reports and focus on what really matters,” the company says in an email addressed to security researchers who have previously reported vulnerabilities to Nextcloud via HackerOne.

That’s why Nextcloud has decided to discontinue its bug bounty program by April 22nd. This means that ethical hackers, developers, and security researchers will no longer receive any financial rewards for vulnerability submissions. Only reports submitted prior to April 22nd will be processed under the previous policy.

ADVERTISEMENT

Despite the discontinuation, Nextcloud remains accessible via HackerOne and welcomes any valid vulnerability reports.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

In an interview with Tweakers.net, Jos Poortvliet, Co-Founder and Marketing Director at Nextcloud, says that the number of AI-generated vulnerability reports has increased significantly in recent months.

“It all happened really fast. The engineering team has made it clear internally that this situation is truly untenable. We’re spending twenty to thirty times as much time on reports as we used to, and most of it is redundant, invalid, or just complete nonsense,” he states.

Poortvliet hopes that bug bounty platforms like HackerOne will eventually step up and address the problems “AI slop” is causing. “It’s also undermining their business model,” the Marketing Director adds.

Nextcloud isn’t the only platform struggling with “AI slop.” Back in January, cURL decided to terminate bug bounty payouts because the company was being flooded with AI-generated “nonsense” bug reports.

Cybernews has previously reported that bug bounty programs are struggling because of AI-generated reports. HackerOne has paused its Internet Bug Bounty program, Google is rejecting AI-created reports, and the Linux Foundation raised $12.5 million in emergency funding because AI tools are finding security problems faster than people can fix them.

ADVERTISEMENT

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Meta has quietly shipped the technology needed for facial recognition glasses
Hackers getting an easy ride: misconfigured cloud settings behind growing number of data breaches
Anthropic claims AI is too fast and needs to hit the brakes: let’s take it with a pinch of salt
US lawmakers push new bill on AI safety, state law limits, worker protections
Pewdiepie declares war on big tech following the release of his free and local AI workspace
California tech CEO busted for selling forbidden US technology to Iran’s nuclear agency
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked