AI tools are reshaping bug bounties and software security reporting

In short: AI is helping people find software security flaws faster, which is changing bug bounty programs and raising pressure to fix problems quickly.

What's going on

Bug bounties are programs where companies pay people to report security holes in their software. Over the last decade, payouts grew, including Apple raising top rewards from $200,000 in 2016 to $2 million last year.

Now AI systems that can act on their own, sometimes called agentic models (like a helper that can search, test, and write steps without being asked each time), are finding more weaknesses and even helping build working attacks. Security researcher Joseph Thacker told WIRED he has submitted about three times more bugs than this time last year, and he expects big companies could spend much more on payouts.

The flood is not always helpful. The Curl project ended its bug bounty program in January after being swamped with low-quality AI-made reports. Linux creator Linus Torvalds also said Linux security email lists have become hard to manage due to high volume and duplicate AI reports.

Some organizations are adjusting. Google said it is changing reward levels in its Chrome and Android programs, lowering payouts for some types of bugs and increasing others. Anthropic also launched a HackerOne bug bounty covering its systems and Claude AI models.

What to watch

AI is also reaching attackers. Google researchers said they observed criminals using AI tools to develop a previously unknown flaw, called a zero-day (a bug defenders do not know about yet), to bypass two-factor authentication (a second login check like a code texted to your phone). If these faster discoveries continue, companies may feel pressure to patch faster than today’s common 90-day disclosure window.

Source: Wired