HackerOne Slashed Bug Payouts From $9,250 to $2,257 — Because AI Bots Won’t Stop Finding Bugs
The robots got so good at finding holes that the reward program that pays for holes… broke. Let’s read the actual numbers.
Valid reports fell from ~15% to under 5%. Critical-bug reward cut 75%+ ($9,250 → $2,257). New submissions frozen since March 27.
The Internet Bug Bounty — the fund that quietly pays people for finding holes in the code that runs half the internet (Node.js, curl, that stuff) — hit pause. Not because hackers slowed down. Because AI sped them up so hard the humans on the other side can’t keep up. Full breakdown at InfoWorld.

🧩 Dumb Mode Dictionary — read this first, everything else clicks
| Term | What it actually means (no jargon) |
|---|---|
| Bug bounty | A company says “find a security hole in our code, we’ll pay you cash.” Legal hacking for money. |
| Internet Bug Bounty (IBB) | A shared pot of money that pays people for finding holes in free code everyone uses (Node.js, curl, etc). Run by HackerOne. |
| Vulnerability / vuln | The hole itself. A mistake in the code a bad guy could sneak through. |
| Remediation | The boring part: actually fixing the hole after someone finds it. |
| AI slop | Fake or low-quality bug reports an AI spat out that look real but waste everyone’s time. |
| Maintainer | The (usually unpaid, tired) volunteer who keeps a piece of free code alive. |
📊 The receipts — what the numbers actually say
Start with the numbers, because the headline (“AI breaks bug bounties!”) is doing a lot of hand-waving.
- Valid reports: ~15% → under 5%. Meaning 95 out of every 100 reports coming in are now junk the humans have to read anyway.
- Critical-bug payout: $9,250 → $2,257. That’s a 75%+ pay cut for the exact same kind of finding. (The Register has the teardown.)
- New submissions: frozen since March 27.
- First project hit: Node.js — the engine behind a huge chunk of websites.
Counter-argument first, like always: this could just be HackerOne penny-pinching and blaming the robots. Cheap PR excuse, right? But the valid-rate collapse (15 to 5) is a real, measurable signal — you don’t fake a 10-point drop in report quality. Something genuinely changed.
🤖 How we got here — the bottleneck quietly moved
For 15 years, finding bugs was the hard part. That’s why the whole system paid for finds. Discovery was the bottleneck, so you rewarded discovery. Simple.
Then AI scanners got good. Really good. Now a laptop can machine-gun through a codebase and surface holes faster than any human ever could.
But here’s the thing nobody mentions: finding the bug was never the expensive part of security. Fixing it is. And nobody’s AI is volunteering to fix anything. So you’ve got a firehose of finds (some real, most slop) pointed at a handful of unpaid volunteers who now have to sort real from fake AND patch the real ones. The money was pointed at the wrong end of the pipe the whole time. AI just made that obvious. Cybernews put it bluntly: AI got so good at finding bugs it broke the reward system.
🗣️ What the timeline's saying
- Bounty hunters: furious. Same skill, same real bugs, 75% less pay overnight.
- Maintainers: relieved-ish. They were drowning in AI-generated “you have a vuln!!” emails that led nowhere.
- Security firms: quietly thrilled — this is a sales pitch. “Drowning in AI reports? Pay us to filter.” (Dark Reading framed it as a remediation crisis.)
- The skeptics (hi): the pause isn’t the story. The story is a whole industry realizing it built its incentives backwards.
Cool. The Robots Broke the Piggy Bank… Now What the Hell Do We Do? (⊙_⊙)

Here’s where it gets fun. When a system breaks, the gaps open up. The suits are busy cutting payouts — that means openings for anyone paying attention. Five plays, each stress-tested against the “is this actually doable tomorrow?” filter.
🩹 The Fix-It Middleman
Everyone’s chasing the find. The real shortage now is the fix. Small open-source projects get flooded with real AI-found bugs and have zero time to patch them. Be the person who writes the patch, not the person who reports the hole.
The play: watch GitHub Security Advisories for tiny projects with open, confirmed vulns and no fix. Write clean patches, submit them. Build a track record, then charge maintainers/companies who depend on that code to keep it patched.
Example: A 24-year-old dev in Lagos watches security advisories for small npm packages, writes tidy fixes on weekends, and lists a “I patch your dependency holes, $150/fix” service on his GitHub profile. Three regular clients (small SaaS shops that use those packages) = ~$1,800/month for weekend work.
Timeline: First accepted patch in 2 weeks. Steady clients by month 3. Stops working once AI writes reliable patches too — so bank the reputation now, that outlasts the trick.
🪟 The Patch-Window Sprint
IBB cut its rates. But hundreds of company-run bounty programs haven’t adjusted yet. They still pay full price for real bugs — and they haven’t started rejecting AI-assisted finds either. That gap is money sitting on the table.
The play: point a free scanner (Semgrep or CodeQL) at programs that still pay well and haven’t wised up. Report only verified, reproducible bugs (not slop) so you build trust before the rates drop.
Example: A student in Manila runs Semgrep against 10 mid-size company programs on HackerOne’s directory, files 4 hand-verified reports in a month, lands 2 payouts around $600 each. Nothing life-changing — but it’s a real $1,200 while the window’s open.
Timeline: First payout in 3–6 weeks. Window closes in maybe 6–12 months as every program copies HackerOne’s cut. Sprint now.
🕵️ The Slop Filter
Companies are getting buried in fake AI bug reports — 95 out of 100 are junk. Somebody has to sort them. Right now humans do it by hand, slowly, hating their lives.
The play: build a simple checklist/mini-tool that scores an incoming report “likely real vs likely slop” (does it include a working reproduction? real line numbers? a proof it triggers?). Offer triage-as-a-service to small security teams. You’re not finding bugs — you’re selling time back to people drowning.
Example: A 27-year-old in Warsaw makes a Google Sheet + a short scoring rubric, triages a startup’s inbox of 200 AI reports down to the 9 real ones for a flat $400. Word spreads to two more startups. It’s boring. Boring pays.
Timeline: First paying gig in ~2 weeks (startups are desperate). Plateaus when the big platforms automate triage — so target the small teams the platforms ignore.
🌑 The Niche Nobody Scanned
Everyone’s AI is scanning the famous stuff (Node, curl). The obscure corners — weird ML libraries, small hardware SDKs, that one dependency 400 companies quietly rely on — nobody’s pointed a serious scanner at them yet.
The play: pick a boring, un-glamorous ecosystem. AI/ML security bounties live at huntr.com. Point your scanner at the packages that aren’t sexy enough for the crowd. Less competition = your report is the only one, so it actually gets read.
Example: A self-taught hacker in Jakarta ignores the popular targets, scans 15 sleepy machine-learning helper libraries on huntr, finds 3 genuine holes nobody else bothered checking. Real payouts, near-zero competition.
Timeline: First find in 2–4 weeks. Stays alive longer than the mainstream targets — the crowd won’t come to the boring niches for a while. That’s the whole edge.
📖 The Cheat-Sheet Land-Grab
When a whole industry changes rules overnight, everyone’s confused and Googling the same questions: “which bounty programs still pay well after the AI cuts?” and “how do I write a report that doesn’t get flagged as slop?” Nobody’s written the clean answer yet.
The play: be the first to write the honest, updated guide. Which programs still pay. How to format a report so a tired human instantly sees it’s real, not robot-generated. Keep it current. First good guide becomes the link everyone shares.
Example: A 22-year-old in Nairobi writes a free, genuinely-useful “Bug Bounty After The AI Cuts (2026)” guide, keeps a live table of program rates, and drops it in r/bugbounty. Traffic builds; later he adds a paid deep-dive and a job board. The free guide is the anchor everything else hangs off.
Timeline: Traffic in 1–2 months if it’s actually useful (not fluff). The catch: you have to keep updating it or a fresher guide eats your lunch. First-mover only wins if they don’t get lazy.
🛠️ Follow-Up Actions
| Want to… | Start here |
|---|---|
| See which programs pay | HackerOne Directory |
| Scan code for free | Semgrep · CodeQL |
| Find AI/ML bounties | huntr.com |
| Track fresh vulns to patch | GitHub Advisories |
| Understand the full story | InfoWorld report |
Quick Hits
| You want… | Do this |
|---|---|
| Sell fixes, not finds — that’s the real shortage now | |
| Hunt programs that still pay full | |
| Triage other people’s AI-slop inbox for a flat fee | |
| Scan the boring niches nobody bothers with | |
| Write the guide everyone’s Googling right now |
The robots didn’t kill bug bounties. They just proved the money was always pointed at the wrong end.
!