GitHub is overhauling its bug bounty program in response to a surge of low-quality, AI-assisted vulnerability submissions. New requirements include working proof-of-concept demonstrations, demonstrated security impact, and validation of AI or scanner-generated findings. Researchers submitting low-severity findings may now receive company swag instead of cash payouts. GitHub emphasizes it welcomes AI-assisted research but holds human researchers accountable for submission accuracy. The move echoes cURL's earlier decision to shut down its bug bounty program entirely after being overwhelmed by AI-generated 'slop' reports. GitHub also clarified its shared responsibility model, noting that prompt injection attacks and malicious repository content generally fall outside its security boundary definitions.
Table of contents
The AI slop delugeProof-of-concept now requiredcURL’s earlier warningWhere GitHub draws the line1 Comment
Sort: