The increased proliferation of harmful junk content generated by Large Language Models widely referred to as “AI slop” is deeply concerning. It is a growing and unresolved threat, and thus a profound opportunity for the cybersecurity field. Bug bounty programs are routinely and meticulously tuned to isolate critical threats. Yet suddenly, they’re inundated with reports alleging fraudulent finds. This unfortunate reality has created a cycle of frustration for the security community, as well as reexamination of submission processes.
HackerOne, a leading platform for bug bounty initiatives, has reported a marked increase in the number of submissions filled with AI slop. Michiel Prins, co-founder and senior director of product management at HackerOne, has noted that these low-signal submissions can create noise that undermines the efficiency of security programs. Over the last year, a coalition of industry experts and some news reporters have been sounding the alarm on the veracity of these reports.
Vlad Ionescu, co-founder and CTO of RunSybil, highlighted the ongoing problem with AI-generated content: “If you ask it for a report, it’s going to give you a report. And then people will copy and paste these into the bug bounty platforms and overwhelm the platforms themselves.” The unfortunate result is that customers are left out in the cold in a sea of confusing and often deceptive claims.
The impacts of AI slop go well beyond just wasting time. In a recent post on the impact of fake reports, security researcher Harry Sintonen described Curl’s response, declaring that “Curl can smell AI slop from miles away.” These erroneous reports take up precious time and distract from real threats to security. Ionescu elaborated on this issue, saying, “People are receiving reports that sound reasonable, they look technically correct. And then you end up digging into them, trying to figure out, ‘oh no, where is this vulnerability?’”
Bugcrowd, the other major bug bounty platform, has been hit by this trend as well. The agency has been overwhelmed with an increase of 500 new submissions a week. Some researchers have started utilizing AI to identify bugs and generate bug reports. Casey Ellis, founder of Bugcrowd, said AI is often used in submissions. Even so, this has not resulted in a wave of terrible academic reports. Both HackerOne and Bugcrowd have begun efforts to address the increasing wave of AI-derived submissions that are false.
HackerOne launched Hai Triage to address these challenges head on. This new system combines human review with AI processing to filter out low-quality reports, something they now say is done more effectively. This serves a dual purpose of cutting down on spammy submissions and protecting the quality and security of their bug bounty programs.
According to Prins, “We’ve also seen a rise in false positives — vulnerabilities that appear real but are generated by LLMs and lack real-world impact.” This phenomenon makes both the work and the impact more complicated for security teams. They have to wade through thousands of submissions to detect the genuine threats.
Mozilla has reported issues with high rejection rates of bug bounty submissions, with less than 10% of all monthly reports flagged as invalid. The increasing number of AI slop reports has led some developers to reevaluate their participation in bug bounty programs altogether. In another instance, one open-source developer was forced to scrap their bug bounty program after being inundated with “near 100% AI slop reports.”
The cybersecurity industry finds itself today at a crossroads, grappling with how AI will shape the future of bug reporting. AI technology is moving so fast, and machine learning tools are popping up all over. The challenge for regulators now lies in distinguishing genuine vulnerabilities from the incoming tide of potentially junky submissions.
Ionescu emphasized the importance of discerning between useful and worthless reports: “It turns out it was just a hallucination all along. The technical details were just made up by the LLM.” This highlights the importance of strong evaluation practices in bug bounty programs.
As companies like Bugcrowd continue to rely on both established playbooks and machine learning assistance in their manual review processes, the balance between leveraging AI for efficiency and ensuring quality remains delicate.
