The cybersecurity industry is facing a new crisis as Large Language Models (LLMs) are being weaponized to flood bug bounty programs with “AI slop”—convincing but entirely fabricated vulnerability reports. Security teams and platforms are struggling to manage a surge of low-quality, hallucinated submissions that threaten to overwhelm the triage process and undermine the efficacy of global bug bounty ecosystems.
The Rise of Hallucinated Vulnerabilities
The core issue lies in the design of LLMs, which are optimized to provide helpful, coherent responses regardless of factual accuracy. Malicious actors and opportunistic users are leveraging this to generate professional-looking vulnerability writeups for flaws that do not exist.
Vlad Ionescu, co-founder and CTO of RunSybil, explains that these reports often sound technically sound, forcing security engineers to waste valuable time investigating “ghost” vulnerabilities. “People are receiving reports that look like gold, but it’s actually just crap,” Ionescu notes. “The technical details were just made up by the LLM.”
Impact on Open Source and Security Platforms
The flood of AI-generated noise is already forcing developers to take drastic measures. The maintainer of the CycloneDX project on GitHub notably pulled their bug bounty program entirely after being inundated with AI-generated junk. Similarly, security researcher Harry Sintonen reported that the open-source project Curl recently identified a fake report, while other platforms, including Open Collective, have reported their inboxes being flooded with similar AI-produced content.
How Major Platforms Are Responding
Major bug bounty intermediaries are acknowledging the shift in submission quality:
- HackerOne: Michiel Prins, co-founder and senior director of product management, confirms the platform is seeing a rise in “false positives” that lack real-world impact. The company has officially begun treating these hallucinated submissions as spam.
- Bugcrowd: Founder Casey Ellis reports an increase of 500 submissions per week, though he notes that while AI is widely used, it has yet to cause a catastrophic spike in “slop” compared to legitimate research.
- Mozilla: Unlike others, Mozilla reports that their Firefox bug report rejection rate has remained steady, with less than 10% of monthly reports flagged as invalid.
The AI Arms Race in Cybersecurity
As the volume of automated reports grows, the industry is pivoting toward AI-driven filtration. HackerOne recently launched “Hai Triage,” a system that uses AI security agents to cut through noise and prioritize threats before human analysts conduct final validations.
While industry giants like Meta and Microsoft have declined to comment on their specific strategies, the consensus is clear: the future of bug bounty programs will depend on an ongoing arms race between LLMs generating fake vulnerabilities and AI-powered systems designed to detect them.