The AI Era Is Creating a Bug Hunting Arms Race
The AI Era Is Creating a Bug Hunting Arms Race
https://www.wired.com/story/the-ai-era-is-creating-a-bug-hunting-arms-race/
Publish Date: 2026-05-25 06:30:00
Source Domain: www.wired.com
“Nation state issues are very serious and very real, but criminal actors still make up the vast majority of incidents that organizations deal with and many of those incidents are quite serious,” Hultquist adds. “Zero-day use by criminal actors has been fairly limited, and the ones that do use them tend to be really successful, so I think we shouldn’t underestimate the impact of more criminals with a zero day in their hands.”
For researchers making money through bug hunting, though, times are changing. The command-line tool Curl ended its bug bounty program (run through third-party service HackerOne) in January after being inundated with low-quality submissions generated by AI.
“We have concluded the hard way that a bug bounty gives people too strong incentives to find and make up ‘problems’ in bad faith that cause overload and abuse,” the group wrote at the time, adding that “we still appreciate and value valid vulnerability reports.”
Last week, Linux creator and lead developer Linus Torvalds wrote that the famed Linux security mailing list has become “almost entirely unmanageable” because of high volume and duplicate AI bug reports.
In April, though, Daniel Stenberg, the founder and lead developer of Curl, said in a LinkedIn post that the quality of submissions had improved. “Over the last few months, we have stopped getting AI slop security reports in the curl project,” he wrote. “Instead we get an ever-increasing amount of really good security reports, almost all done with the help of AI. They’re submitted in a never-before seen frequency and put us under serious load.”
And at the end of April, Google announced that it was overhauling its Vulnerability Reward Programs for Chrome and Android and lowering payouts for some classes of bugs, while increasing others.
“As the security research landscape evolves with AI, we’re making changes in our programs to ensure we’re rewarding the most challenging and impactful vulnerabilities in…
