AI floods crypto bug bounty programs with bogus reports, straining security teams

Crypto Firms Report Flood of AI-Driven Bug Bounty Submissions

HackerOne, one of the largest bug bounty platforms in the world, reported there were 85,000 valid bounty submissions in 2025, up 7% from the previous year. Crypto protocols have warned that an increase in AI use has led to a flood of bogus bug bounty submissions, putting a strain on teams trying to identify real threats to their protocols. Bug bounties are a system to reward "good" hackers for submitting reports about potential vulnerabilities and are popular in the crypto industry. AI has now made it easier to sift through large amounts of code to find possible bugs, though AI is also known to hallucinate. "AI is changing the way that bug bounty programs must operate," said Barry Plunkett, co-CEO of Cosmos Labs, on Tuesday, responding to a bug bounty hunter who accused the protocol of ignoring their vulnerability report. "Our program has seen a 900% increase in submission volume from last year, on the order of 20-50 per day," he said, adding that it's led to a huge increase in both valid and invalid reports. Kadan Stadelmann, a blockchain developer and chief technology officer at Komodo Platform, told Cointelegraph he has also seen a notable increase in bug bounty submissions and payouts across organizations. "There has definitely been an increase in low-quality bug bounty submissions, some of which have been false positives, potentially suggesting AI sourcing. One potential explanation is that AI has caused a decrease in the cost to produce a report, resulting in an influx of submissions." In January, Daniel Stenberg, the creator of the open-source data transfer tool curl, which is used in many apps, including blockchain infrastructure, announced he was ending his bug bounty program because of an influx of "AI slop in vulnerability reports," and he was exhausted from sifting through them. HackerOne, one of the largest bug bounty platforms in the world, reported in January that there were 85,000 valid bounty submissions in 2025, up 7% from the previous year. Plunkett said Cosmos Labs has already started to adapt its approach as a result of the uptick in bug bounty submissions by tightening how it scores submissions, prioritizing trusted researchers with a proven track record and working with other bug bounty providers that offer more advanced triage. Meanwhile, Stadelmann said bug bounty programs have proven integral to defending decentralized systems, and adopting AI to assist in sifting through the noise could be a solution. "Blockchain teams will have to create AI deterrents to sift through incoming bug bounties. The smaller the team, the bigger the problem of increased bug bounties will become. Software engineers won't have the capacity to examine everything," he said. "This is where defensive AI systems to automatically sift through incoming bug bounties will be crucial. Teams dependent on bug bounties will need to develop stricter standards on their bug bounty programs as a means of lowering the number of incoming reports."

AI flood drives surge in bogus crypto bug bounty reports

Crypto protocols are experiencing a surge in bogus bug bounty submissions due to increased use of AI, complicating efforts to identify genuine threats. Bug bounties reward ethical hackers for reporting vulnerabilities and are widely used in the crypto industry. While AI can efficiently scan large codebases for bugs, it also tends to generate inaccurate submissions. Barry Plunkett, co-CEO of Cosmos Labs, reported a 900% increase in bug bounty submissions, averaging between 20 and 50 per day. He noted that this uptick has resulted in a significant rise in both valid and invalid reports. "AI is changing the way that bug bounty programs must operate," Plunkett stated in response to concerns raised by a bug bounty hunter. Daniel Stenberg, creator of the open-source tool curl, announced in January the termination of his bug bounty program due to overwhelming quantities of "AI slop in vulnerability reports." Stenberg expressed frustration with the amount of time spent sifting through inauthentic submissions. HackerOne, a leading bug bounty platform, reported that there were 85,000 valid report submissions in 2025, a 7% increase compared to the previous year. This growth highlights the ongoing challenges faced by teams in managing bug bounty programs amid an increasing volume of submissions. In response, Cosmos Labs is modifying its approach by tightening submission scoring and prioritizing submissions from trusted researchers. Plunkett emphasized the need for collaboration with other providers to enhance submission triage processes.