AI-Driven Bug Hunting Arms Race Forces Overhaul of Cybersecurity Economics
As AI accelerates exploit development, organisations from Google to Linux face operational overload, leading to terminated programs and structural shifts in how security flaws are rewarded and managed.
The integration of agentic artificial intelligence into vulnerability discovery is triggering a fundamental shift in the economics and operational dynamics of bug bounty programs. As AI models autonomously identify software weaknesses and develop exploits, organisations such as Google, Curl, and the Linux project are experiencing a surge in submissions, including low-quality reports and duplicate entries. This influx has prompted responses ranging from the termination of bounty programs to the overhaul of reward structures, with Google recently adjusting payouts for Chrome and Android vulnerabilities.
Independent security researcher Joseph Thacker reports submitting three times more bugs than the previous year and predicts Google’s bug payout spending could increase by two to ten times. Thacker notes that while tech giants can handle the pressure, most companies cannot, and the current abundance of low- and medium-difficulty findings may lead to fewer submissions next year as those vulnerabilities are already discovered. He suggests that some companies may eventually raise payouts again to incentivise researchers to find more complex issues on public infrastructure.
The operational strain on developers is evident across the sector. Curl ended its bug bounty program in January due to an inundation of low-quality, AI-generated submissions, with the group citing the overload and abuse caused by bad-faith incentives. However, founder Daniel Stenberg later reported an improvement in submission quality, noting that valid reports are now increasingly AI-assisted and submitted at a frequency that puts the project under serious load. Similarly, Linux creator Linus Torvalds stated that the Linux security mailing list has become almost entirely unmanageable due to high volumes of duplicate AI-generated bug reports.
Google researchers observed prominent cyber crime threat actors using AI tools to exploit a zero-day vulnerability to bypass two-factor authentication on an open-source system administration platform; Google issued a fix after notification. John Hultquist, chief analyst at Google’s Threat Intelligence Group, described this as the first concrete evidence of criminal actors using AI to discover novel vulnerabilities and create exploits. He warned that while nation-state threats are serious, criminal actors make up the vast majority of incidents and should not be underestimated, particularly as their access to zero-day exploits becomes more widespread.
In response to these changing dynamics, Google announced an overhaul of its Vulnerability Reward Programs for Chrome and Android, lowering payouts for some bug classes while increasing others to reward the most challenging and impactful findings. Security expert Niels Provos argues that organisations cannot patch their way out of the current threat landscape and must build infrastructure that renders bugs irrelevant. Meanwhile, Anthropic launched a HackerOne bug bounty for researchers to submit findings on its own systems and Claude AI models, highlighting the industry's continued reliance on human expertise despite the acceleration of AI capabilities.
