Companies running bug bounty programs are facing a surge in low-quality, AI-generated vulnerability reports, according to a Financial Times report. In March, Bugcrowd saw reports quadruple, most of which were fake. HackerOne and Nextcloud both suspended paid bounty programs in April, with Nextcloud stating no rewards would be awarded. The trend is forcing security teams to spend more time weeding out spam from genuine issues. Despite the challenges, bug bounties remain big business, with major companies paying at least $58 million in 2025. Meanwhile, AI models like Anthropic's Claude Mythos are improving at finding real vulnerabilities, identifying 271 flaws in Firefox during testing. However, AI is also enabling mass submissions of false reports, leading to program adjustments. Industry experts predict bug bounties will evolve to filter low-effort reports.

Key facts

• Bug bounty programs report a surge in low-quality AI-generated submissions.
• HackerOne and Nextcloud suspended paid bounty programs in April due to fake reports.
• Bugcrowd saw reports quadruple in March, most of which were fake.
• AI model Claude Mythos identified 271 vulnerabilities in Firefox during tests.
• Companies paid at least $58 million in bug bounties in 2025.