“Nation state issues are very serious and very real, but criminal actors still make up the vast majority of incidents that organizations deal with and many of those incidents are quite serious,” Hultquist adds. “Zero-day use by criminal actors has been fairly limited, and the ones that do use them tend to be really successful, so I think we shouldn’t underestimate the impact of more criminals with a zero day in their hands.”
For researchers making money through bug hunting, though, times are changing. The command-line tool Curl ended its bug bounty program (run through third-party service HackerOne) in January after being inundated with low-quality submissions generated by AI.
“We have concluded the hard way that a bug bounty gives people too strong incentives to find and make up ‘problems’ in bad faith that cause overload and abuse,” the group wrote at the time, adding that “we still appreciate and value valid vulnerability reports.”
Last week, Linux creator and lead developer Linus Torvalds wrote that the famed Linux security mailing list has become “almost entirely unmanageable” because of high volume and duplicate AI bug reports.
In April, though, Daniel Stenberg, the founder and lead developer of Curl, said in a LinkedIn post that the quality of submissions had improved. “Over the last few months, we have stopped getting AI slop security reports in the curl project,” he wrote. “Instead we get an ever-increasing amount of really good security reports, almost all done with the help of AI. They’re submitted in a never-before seen frequency and put us under serious load.”
And at the end of April, Google announced that it was overhauling its Vulnerability Reward Programs for Chrome and Android and lowering payouts for some classes of bugs, while increasing others.
“As the security research landscape evolves with AI, we’re making changes in our programs to ensure we’re rewarding the most challenging and impactful vulnerabilities in our products,” the company wrote.
“I think 90th percentile bug hunters with special skills will always be able to have findings and get payouts from big companies,” says Jonathan Dunn, a cardiologist who is also a bug bounty hunter. “But even with AI, we also need to heavily incentivize ethical researchers to find stuff on public infrastructure and other critical systems that otherwise may not get enough attention from defenders.”
For now, most organizations seem ready to throw every solution they can think of at the problem (and benefit) of accelerated bug discovery. “This is changing the dynamics of the bug-hunting industry, but it absolutely still requires human time,” says Alex Zenla, chief technology officer of cloud security firm Edera.
Earlier this month, Anthropic launched a HackerOne bug bounty for researchers to submit findings on the company’s own systems and Claude AI models. Increasingly, though, some researchers argue that structural defenses are necessary to address accelerating vulnerability discovery. In other words, they’re architecting digital solutions for different classes of vulnerabilities that eliminate them or make them significantly less exploitable in practice.
“You can’t patch your way out of this,” says longtime security engineer and researcher Niels Provos. “You need to build infrastructure that makes as many bugs as possible irrelevant.”