Bug bounty is hitting a breaking point as AI overwhelms programs, pushing a shift toward more sustainable, quality-focused security models.

Aikido Security

The bug bounty model is under strain as AI dramatically lowers the cost of finding and submitting vulnerability reports, while validation and remediation costs remain unchanged. High-profile programs like the Internet Bug Bounty, Node.js, and curl have paused or removed payouts after being overwhelmed by AI-generated submissions. Interviews with curl creator Daniel Stenberg and Bugcrowd founder Casey Ellis reveal a nuanced picture: removing financial incentives largely eliminated low-quality AI noise but didn't reduce overall load, as genuine high-quality reports also increased. The likely future involves vulnerability disclosure becoming a baseline expectation, more targeted rewards for high-impact findings, AI-assisted triage, and researchers shifting focus toward complex logic flaws and chained vulnerabilities where automation still struggles.

Bug bounty isn’t dead, but the old model is breaking

Open source is the first to feel the impact

What happens when you remove financial incentives