AI drives surge in ‘bug bounty’ reports, but ‘slop’ is rising too

HackerOne, one of the largest bug bounty platforms in the world, reported there were 85,000 valid bounty submissions in 2025, up 7% from the previous year.

Crypto protocols have warned that an increase in AI use has led to a flood of bogus bug bounty submissions, putting a strain on teams trying to identify real threats to their protocols. 

Bug bounties are a system to reward “good” hackers for submitting reports about potential vulnerabilities and are popular in the crypto industry. AI has now made it easier to sift through large amounts of code to find possible bugs, though AI is also known to hallucinate. 

“AI is changing the way that bug bounty programs must operate,” said Barry Plunkett, co-CEO of Cosmos Labs, on Tuesday, responding to a bug bounty hunter who accused the protocol of ignoring their vulnerability report. 

“Our program has seen a 900% increase in submission volume from last year, on the order of 20-50 per day,” he said, adding that it’s led to a huge increase in both valid and invalid reports. 

Kadan Stadelmann, a blockchain developer and chief technology officer at Komodo Platform, told Cointelegraph he has also seen a notable increase in bug bounty submissions and payouts across organizations. 

In January, Daniel Stenberg, the creator of the open-source data transfer tool curl, which is used in many apps, including blockchain infrastructure, announced he was ending his bug bounty program because of an influx of “AI slop in vulnerability reports,” and he was exhausted from sifting through them.

HackerOne, one of the largest bug bounty platforms in the world, reported in January that there were 85,000 valid bounty submissions in 2025, up 7% from the previous year.

Plunkett said Cosmos Labs has already started to adapt its approach as a result of the uptick in bug bounty submissions by tightening how it scores submissions, prioritizing trusted researchers with a proven track record and working with other bug bounty providers that offer more advanced triage.

Meanwhile, Stadelmann said bug bounty programs have proven integral to defending decentralized systems, and adopting AI to assist in sifting through the noise could be a solution.

“Blockchain teams will have to create AI deterrents to sift through incoming bug bounties. The smaller the team, the bigger the problem of increased bug bounties will become. Software engineers won't have the capacity to examine everything,” he said.

Related: Crypto hackers stole $17B over past 10 years: DefiLlama

Source: CoinTelegraph