The Internet Bug Bounty program has been around since 2012. It was one of the good ones — funded by big tech companies to pay independent researchers who found bugs in open-source software that literally the entire internet depends on.

Then AI happened.

Tools like AI code scanners started finding vulnerabilities at a rate no human team could match. HackerOne’s own statement said it plainly: “AI-powered research is expanding the scope of vulnerability discovery and improving the comprehensiveness and speed of discovery.”

→ More bugs found → not enough developers to fix them → system overloaded → program paused on March 27, 2026.

The cruel part? The bugs are real. They’re not hallucinations (well, most of them aren’t). There’s genuinely more broken code than anyone can patch.

Severity	Old Payout	New Payout	% Cut
Critical	$9,250	$2,257	-76%
High	$4,429	$1,009	-77%
Medium	~$2,000	~$500	~-75%
Low	$597	$68	-89%

That low-severity cut is diabolical. Sixty-eight dollars. For finding a real security flaw in software used by millions of people. You’d make more money returning shopping carts at Walmart.

Source: HackerOne IBB program page

It’s not just HackerOne’s IBB. The ripple hit fast:

• Node.js — the JavaScript runtime that runs half the internet’s backends — paused its own bug bounty program because their funding came through HackerOne’s IBB pipeline. Gone.

• cURL — the command-line tool installed on literally every computer on earth — had already suspended their bounty earlier because of an avalanche of garbage AI-generated reports. Their maintainer Daniel Stenberg has been vocal about AI researchers submitting “vulnerabilities” that don’t actually exist.

• Other open-source projects are watching this closely. If the IBB model collapses, the incentive structure for securing free software collapses with it.

The pattern: AI floods → maintainers drown → bounties shrink → real researchers leave → software stays broken. Beautiful cycle.

The security research community is… not happy:

• Researchers who spent years building skills to find real bugs are now competing against $20/month AI subscriptions that spray-and-pray thousands of reports
• Open-source maintainers (mostly volunteers, by the way) are getting buried under AI-generated reports — many of which are false positives or duplicates
• Some researchers argue HackerOne is using AI as an excuse to cut costs while their private enterprise programs (for companies like Google, Microsoft, etc.) still pay top dollar
• The gap between what a Fortune 500 company pays for bugs vs. what open-source gets is now absurd — Google pays $250,000+ for a Chrome sandbox escape while IBB pays $2,257 for a critical bug in software Google depends on

The vibe: if AI can find it, it’s not worth paying a human for.

Open-source software runs everything. Your bank. Your hospital. Your phone. The servers behind every app you use.

The Internet Bug Bounty was one of the few financial incentives keeping independent researchers looking at this code. Without it:

• Bugs pile up unfixed in software like OpenSSL, Apache, nginx, Python, Ruby, PHP
• Nation-state hackers (who don’t need bounty money) still find and stockpile these bugs
• The window between “bug discovered” and “bug exploited” gets shorter while the “bug fixed” timeline gets longer

→ More known-but-unfixed vulnerabilities in critical infrastructure → more breaches → your data.

This isn’t theoretical. It’s supply-and-demand economics applied to the security of the entire internet.

Here’s the angle nobody’s working yet: open-source maintainers are drowning in AI-generated bug reports they can’t sort through. Most are garbage. Some are real. Nobody has time to tell the difference.

Here’s what you do: position yourself as a bug report triage service. You take the flood of incoming AI reports, verify which ones are real, write proper reproduction steps (which AI reports never include), and hand maintainers a clean list. Charge per validated report or monthly retainer.

The play works because maintainers will pay to NOT read 200 junk reports a week. And YOU can use AI to pre-filter the AI reports (yes, fighting AI with AI) — but the human verification step is where the value is.

Example: A 24-year-old security student in Kraków, Poland builds a triage bot using Semgrep + manual review. She partners with 3 mid-size open-source projects on GitHub, charges $800/month each for verified-only reports. The projects save their maintainers 15+ hours a week. She scales to 10 projects in 2 months.

Timeline: First client in 5-7 days (cold-email maintainers who publicly complain about AI spam on Twitter/GitHub). Saturates at ~15 projects before you need to hire. Window lasts until platforms build this in natively — probably 6-9 months.

HackerOne’s IBB pays $2,257 for a critical open-source bug. But private programs on the same platform pay $15,000-$250,000 for bugs in software that uses that same open-source code.

Here’s what you do: find a critical bug in an open-source library. DON’T submit it to IBB. Instead, figure out which major company uses that library in production → submit it to THEIR private bounty program as a supply-chain vulnerability. Same bug. 10x-50x the payout.

The trick is mapping which companies use which open-source dependencies. Tools like Socket.dev and deps.dev make this trivial — you can see exactly which Fortune 500 apps depend on which open-source packages.

Example: A researcher in São Paulo finds a deserialization bug in a popular Python library. IBB would pay $2,257. He checks deps.dev, finds it’s used in Shopify’s backend. Submits to Shopify’s HackerOne program → gets $15,000. Same afternoon’s work, different mailbox.

Timeline: First successful flip in 2-3 weeks (depends on your existing bug-hunting skill). This play has existed quietly but the 76% IBB cut makes it the obvious rational move. Works indefinitely — companies always pay more to protect their own brand than to protect “the commons.”

AI bug scanners are generating MASSIVE amounts of false positives — reports that look like real vulnerabilities but aren’t. This is the #1 complaint from maintainers like cURL’s Daniel Stenberg.

Here’s what you do: build a database of confirmed false-positive patterns from AI scanners. Categorize them by tool (CodeQL, Semgrep, Snyk, etc.) and by false-positive type. Sell access to this database as a filter layer that companies plug into their CI/CD pipelines (the automatic testing system that runs when developers push code).

Nobody’s done this yet because the AI-generated bug report flood is only ~6 months old. The data doesn’t exist in a structured form anywhere.

Example: A DevSecOps guy in Bangalore, India scrapes public GitHub issues tagged “false positive” + “security” across 500 repos. He categorizes 3,000+ patterns into a filterable dataset, packages it as a GitHub Action that auto-closes matching reports. Charges $49/month per repo. Gets 40 repos in the first month through Product Hunt and Hacker News launches.

Timeline: Data collection takes 1-2 weeks. MVP filter takes another week. First paying customers within a month. This gets more valuable over time as AI scanners evolve and create new false-positive patterns. Defensible for 12-18 months until big players (Snyk, GitHub) build it in.

When IBB paused, a bunch of bugs were already submitted but not yet fixed. Some of these bugs are now known (researchers posted them) but unpatched (no one’s being paid to fix them). This creates a dangerous window.

Here’s what you do: monitor the IBB program’s disclosed reports for bugs that are public but unpatched. Write the patches yourself. Submit PRs to the open-source projects. Then reach out to companies that use those projects and offer paid security consulting to help them assess exposure.

You’re not selling the bug — you’re selling the FIX and the expertise around it. Companies will pay because their compliance teams (SOC2, ISO 27001) require them to address known vulnerabilities.

Example: A freelance security consultant in Lagos, Nigeria finds 5 disclosed-but-unpatched IBB bugs in popular PHP libraries. She writes patches, submits PRs, and emails the security teams of 20 African fintech companies that use those libraries. Three hire her for $3,000 each to audit their full dependency tree. Total: $9,000 from bugs that IBB would’ve paid $340 for (5 × $68 low-sev).

Timeline: Start scanning disclosed bugs today. First PR within 48 hours. First consulting gig within 2 weeks. The patch window is widest RIGHT NOW while IBB is paused and maintainers are overwhelmed. Narrows as projects find alternative funding or volunteers step in.

Look — everyone’s complaining about AI-generated bug reports. But here’s the thing nobody says out loud: some of them are real. The ratio is bad (maybe 1 in 20 is legit), but when you’re generating thousands of reports, that’s still a lot of real bugs.

Here’s what you do: run AI scanners against private bounty programs (NOT the paused IBB). But — and this is the key — add a human verification layer before submitting. Use AI to find candidates, manually confirm they’re real, write proper reproduction steps, and submit only verified bugs.

The programs that pay well ($5K-$50K per crit) on Bugcrowd and HackerOne private programs haven’t paused anything. They’ve just gotten pickier about report quality. If your AI-found, human-verified report is clean and reproducible, they pay the same as always.

Example: A 21-year-old in Istanbul runs CodeQL queries against 30 private program targets on Bugcrowd. AI flags 400 potential issues. He spends a weekend manually verifying the top 50. Finds 8 real bugs — 2 critical, 3 high, 3 medium. Submits clean reports with reproduction steps. Total payout: $23,000 over 6 weeks.

Timeline: Setup takes 2-3 days (install tools, pick targets). First batch of AI candidates in 24 hours. Manual verification is the bottleneck — budget 1-2 hours per candidate. First payout in 3-6 weeks (bounty review cycles). This play works as long as bounty programs exist, but competition increases as more people figure out the AI+human combo.