AI Found So Many Bugs That HackerOne Cut Payouts by 75% — And Paused the Whole Program
The bug bounty gold rush just hit a wall. AI can find flaws faster than humans can fix them — and the money’s drying up.
The numbers: Critical bug payouts dropped from $9,250 → $2,257. Submissions jumped 76% in one year. Only 5% of reports now contain real vulnerabilities. The Internet Bug Bounty program — running since 2012, $1.5 million paid out — just hit pause.
Node.js, Curl, and Google’s open-source program all followed. The bounty economy that kept the internet patched for a decade is buckling under the weight of AI-generated reports.
🧩 Dumb Mode Dictionary
| Term | What It Actually Means |
|---|---|
| Bug bounty | Companies pay hackers to find security holes before criminals do |
| HackerOne | The biggest platform where companies list bounties and hackers submit reports |
| Internet Bug Bounty (IBB) | A special program that pays for bugs in open-source software everyone uses (like Node.js, Curl) |
| Remediation | Actually fixing the bug after someone finds it |
| AI-assisted research | Using AI tools to automatically scan code and find security holes |
| Slop reports | Low-quality, AI-generated bug reports that waste everyone’s time |
| Open-source maintainers | Volunteers who keep free software running — usually unpaid |
📉 The Bounty Crash — By the Numbers
Let’s look at what actually happened to the money:
| Bug Severity | Old Payout | New Payout | % Cut |
|---|---|---|---|
| Critical | $9,250 | $2,257 | -76% |
| High | $4,429 | $1,009 | -77% |
| Low | $597 | $68 | -89% |
That low-severity payout — $68. You’d make more selling lemonade. And this isn’t some random startup cutting corners. This is HackerOne, the platform that basically invented modern bug bounties, administering the program that protects the internet’s most-used open-source projects.
The old split was 80% of the money for finding bugs, 20% for fixing them. But here’s the thing nobody mentions: that 80/20 split was designed for a world where finding bugs was hard. AI just made it trivially easy.
🤖 What AI Actually Did to the Pipeline
HackerOne’s own data tells the story. Submissions jumped 76% year-over-year through March 2026. Sounds great, right? More bugs found = safer internet?
Nope. The share of reports flagging real, actual vulnerabilities held at about 25%. But valid, actionable submissions — ones where the bug is real AND matters AND isn’t a duplicate — dropped from 15% to below 5%.
That means for every 100 reports flooding in, roughly 95 are garbage. AI-generated noise. John Morello from Minimus calls it exactly what it is: “slop.”
And the 5% that ARE real? The volunteer maintainers who actually have to fix them can’t keep up. They’re drowning.
🪦 The Domino Effect — Who's Already Out
This isn’t just HackerOne being dramatic. The fallout is spreading fast:
- Curl — Daniel Stenberg (the guy who built curl, which runs on literally every device with an internet connection) stopped accepting bug bounty submissions back in January 2026
- Node.js — Paused their bounty program entirely, saying “as a volunteer-driven open-source project, Node.js does not have an independent budget to sustain a bounty program on its own”
- Google — Halted AI-generated submissions to their Open Source Software Vulnerability Reward Program in March
- Nextcloud — Also paused
Stenberg’s quote is telling: “We get an ever-increasing amount of really good security reports, almost all done with the help of AI.” So the AI reports aren’t all garbage — some are legitimately better than human ones. The problem is volume, not quality alone.
🗣️ What the Security World Is Saying
Ensar Seker, CISO at SOCRadar: Called the pause “a rational, even overdue correction” — saying HackerOne is acknowledging that “discovery has been industrialized by AI, but remediation capacity has not scaled accordingly.”
Jakub Ciolek, researcher: “In this AI-assisted era, the valuable work is no longer just ‘I found another bug.’ It is ‘I verified this matters and helped get it fixed.’”
HackerOne’s statement: “AI-assisted research is expanding vulnerability discovery across the ecosystem, increasing both coverage and speed. The balance between findings and remediation capacity in open source has substantively shifted.”
Translation: the machine found all the bugs. Nobody can fix them. The money’s gone.
🔍 The Counter-Argument — Is This Actually Bad?
Before we all mourn the death of bug bounties, let me push back on the doom narrative for a second.
The data shows something weird: bug bounties were already broken. $1.5 million paid out over 14 years across critical internet infrastructure. That’s about $107K per year. For context, a single senior security engineer at Google makes 4x that annually.
The IBB was always underfunded. AI didn’t kill it — AI just exposed how fragile the whole “pay volunteers to secure the internet” model was from the start.
But here’s the thing nobody mentions: this creates a market gap. A massive one. If AI can find bugs at industrial scale but nobody can fix them, whoever figures out the fix-at-scale problem wins everything. That’s the real story here.
Cool. AI just broke the bounty economy and there’s a pile of unfixed bugs everywhere. Now What the Hell Do We Do? (ง •̀_•́)ง
🕳️ The Remediation Broker
The bottleneck isn’t finding bugs anymore — it’s fixing them. Open-source maintainers are volunteers. They’re overwhelmed. Set up as a middleman: take AI-found vulnerabilities, verify them, write the actual patches, and sell the fix-ready package back to companies who depend on those open-source projects. Companies like Tidelift and Herodevs charge for maintaining old open-source software. You do the same thing, but specifically for the backlog of AI-discovered bugs that nobody’s patching.
Example: 24-year-old security student in Romania scrapes HackerOne’s public disclosure feed, filters for unpatched open-source bugs older than 30 days, writes verified patches, and offers them directly to companies running affected packages via LinkedIn outreach. Charges $200-500 per patch. Lands 3-4 per week within a month.
Timeline: First client in 10 days. Steady $2K/month in 6 weeks. Saturates at around $5K/month as bigger firms start doing this internally within 4-5 months.
🎣 The Slop Filter Service
95% of bug reports are now trash. Security teams at mid-size companies are drowning in AI-generated noise and can’t tell what’s real. Build a triage-as-a-service: you take raw vulnerability reports, use your own AI pipeline + manual verification to rate them, and give companies a clean feed of only the stuff that matters. Basically, you’re the spam filter for bug reports. Charge per-report or monthly retainer.
Example: 28-year-old infosec analyst in Brazil builds a Semgrep-based pipeline that re-scans reported code paths to verify if the bug is real + exploitable. Offers the service on security-focused Discord communities. Three SaaS startups sign up at $500/month within first month because their internal team was spending 20 hours/week reading garbage reports.
Timeline: First paying customer in 2 weeks. Hits $3K/month by month 2. Risk: larger security companies (Snyk, Veracode) add this feature natively within 6 months.
📡 The Pre-Patch Intelligence Feed
Here’s the sketchy-smart angle. AI is finding bugs in open-source code that powers millions of websites. Those bugs are being reported publicly. But the patches aren’t landing for weeks or months because maintainers can’t keep up. That gap between “bug publicly known” and “bug actually fixed” is a window. Build a paid alert service for companies: scan HackerOne’s Hacktivity, NVD, and GitHub security advisories. Cross-reference with a company’s dependency tree. Send instant alerts when their stack has a known-but-unpatched hole. Charge for speed.
Example: 22-year-old dev in Kenya writes a Python script using the GitHub Advisory Database API + npm audit data to build a real-time dashboard. Sells access to 3 fintech startups in Nairobi at $300/month each. They were previously relying on manual checks every quarter.
Timeline: MVP in 5 days. First subscriber in 2 weeks. Scales to $3-4K/month. Watch out: tools like Socket.dev already play in adjacent space. Your edge is speed + local market knowledge.
🪟 The Bounty Arbitrage Sprint
Bug bounty payouts just cratered on HackerOne’s IBB program. But private company bounties haven’t been cut yet. The play: use the exact same AI scanning tools that flooded IBB (tools like CodeQL, Semgrep, or even Claude for code review) to find bugs — but submit them to private company programs that still pay full price. Companies like Shopify, Uber, and Coinbase still run $10K-$50K bounty programs. The IBB crowd is leaving those programs because they’re demoralized. Less competition = better odds for you.
Example: 19-year-old in Turkey who used to hunt IBB bugs pivots to Shopify’s private program. Uses CodeQL to scan Shopify’s public repos for injection patterns. Finds a medium-severity IDOR (basically accessing someone else’s data by changing a number in the URL) in a merchant API. Gets $5,000. Total time: 3 days of scanning.
Timeline: First submission in 1 week. First payout in 3-4 weeks (review cycles). Sweet spot lasts 3-6 months before private programs also start adjusting to AI volume.
🔧 The Maintainer-for-Hire Pipeline
Open-source maintainers are quitting or burning out. Projects are literally pausing security programs because there’s nobody to do the work. But companies NEED those projects to stay secure. Position yourself as an outsourced maintainer. You don’t build the software — you just triage security issues, review PRs, and coordinate patches for a monthly fee. Target the projects that just lost their bounty programs: Node.js, Curl-dependent tools, Nextcloud plugins. Approach the companies (not the projects) that depend on this software and offer to be their dedicated security maintainer.
Example: 30-year-old sysadmin in Poland with Node.js experience reaches out to 10 European SaaS companies that have Node.js in their stack. Offers quarterly security audits of their Node dependencies + immediate patch coordination when new CVEs drop. Signs 2 clients at €800/month each. They were panicking because Node.js’s own bounty program just went dark.
Timeline: First contract in 3 weeks. Grows to €3-4K/month over 2 months. Long runway — this problem is getting worse, not better. Risk is that you need genuine Node.js security chops, not just a pitch deck.
🛠️ Follow-Up Actions
| Want | Do |
|---|---|
| Understand the bounty landscape | Read HackerOne’s 2025 Hacker-Powered Security Report |
| Learn AI-assisted bug hunting | Set up CodeQL + Semgrep on any open-source repo |
| Find companies with active bounties | Browse HackerOne’s directory — filter by “bounties offered” |
| Track open-source vulnerabilities | Monitor NVD feeds + GitHub Advisory Database |
| Start patching open-source code | Pick any project on GitHub’s “good first issue” security label and submit a fix |
Quick Hits
| Want | Do |
|---|---|
Run npm audit or pip audit right now — the unpatched backlog is real |
|
| Filter HackerOne directory by private programs with >$5K top bounty | |
| Install Semgrep (free) and run it on any GitHub repo | |
| Browse Hacktivity → filter “disclosed” → sort by newest | |
| Dark Reading’s breakdown of the remediation crisis |
AI learned to find every hole in the wall. Turns out nobody budgeted for bricks.
!