HackerOne Pauses Internet Bug Bounty

HackerOne is reporting that they are "pausing submissions" in response to AI putting vulnerability reporting in the express lane, which in turn is overwhelming the recipients' abilities to parse through and fix them. As examples, InfoWorld notes that Curl said they were not participating in the bug bounty program anymore back in January due to a deluge of reports, and Google also stopped accepting AI reports in March.

Bug bounties are a popular staple of cybersecurity. Many companies and projects will offer to pay researchers who responsibly disclose vulnerabilities. The amount of payment is typically outlined by the company or project and varies based on severity, which software the vulnerability is found in (eg Chrome or Android), and other factors. In the past, some researchers have even been able to make a living strictly off bug bounties.

One of the most popular services for managing bug bounties is HackerOne. You can think of HackerOne like a job board or third-party vendor where companies and projects can sign up, post the guidelines for payout, and accept reports. This makes the whole process seamless and helps smaller projects who don't need to reinvent the wheel or manage an entire system of reporting.

Historically AI bug reports have been considered a nuisance, often reporting things that weren't actual bugs or were intended functionality. This would often lead to maintainers wasting valuable, limited time on nonsense. (This is one reason many maintainers set "no AI" policies.)

In a recent episode of "This Week in Privacy," myself and Jonah Aragon (Privacy Guides' executive director) discussed the topic of AI bug reports and how it's likely that many such spammers are simply trying to "pad" their GitHub submission history in hopes of looking more appealing to potential employers.

However, last month The Register quoted a senior Linux kernel maintainer who said that the quality of AI bug reports has sharply increased in recent weeks.

It's unclear from the provided statements exactly what HackerOne's concern is. Is the concern that payments are incentivizing sloppy AI bug report spam in the hopes of an easy payout? Or is there concern that the uptick in quality bug reports is unsustainable, either financially or in terms of "time required to fix the bugs?" Time will tell, but we hope that they'll find the answers they seek as the bug bounty program has historically been a net good for the cybersecurity landscape.