AI-generated bug reports are flooding bug bounty programs across platforms and vendors, creating challenges for companies that must process high volumes of low-quality and false submissions. Bug bounty platforms and software companies collectively paid at least $58 million in 2025 to researchers who find software flaws before hackers do, reflecting payments to researchers under bounty arrangements.
Bug reports submitted through Bugcrowd more than quadrupled during three weeks in March, and most of those reports were fake during that period in total.
In April, HackerOne and Nextcloud suspended their paid bounty programs. Nextcloud stated that no financial rewards will be awarded for any submissions, regardless of severity. Nextcloud wrote that handling the massive increase of low-quality reports is an industry-wide challenge and that it has been unable to find ways to responsibly handle the massive increase of low-quality reports. Nextcloud said it hoped to restart the program once a reliable approach to filtering out low-effort reports is found. Bug reports submitted through Bugcrowd more than quadrupled during three weeks in March, with most of those reports being fake. OpenAI is listed as a client of Bugcrowd.
This summary lists the actions and public statements made by the platforms and companies involved. The statements describe conditions for resuming paid bounty programs but do not include timelines for any restart.
Anthropic introduced Mythos in March as a cyber-focused AI model, a detail stated in the provided material that specifies the month of introduction and describes Mythos’s focus as cyber-focused.
Claude Mythos identified 271 vulnerabilities in Mozilla Firefox during internal testing, with the provided content reporting the figure 271 for vulnerabilities found in those internal tests.
A preview version of Claude Mythos helped develop an exploit targeting Apple’s M5 chips, and the provided material notes that the preview version also contributed to development of that exploit.
Myriad is a prediction market platform operated by Decrypt’s parent company, Dastan, and the provided content links Myriad explicitly to Dastan as the operating entity.
The Financial Times reported on the surge of AI-generated bug reports. The coverage included the quote, “Bug bounties are going to stay [but] they’re going to have to change.” The Financial Times’ reporting is listed in the provided material.
Bug bounties are going to stay [but] they’re going to have to change.
The preceding paragraph reproduces the media coverage and the quoted statement contained in the provided content. No additional analysis or interpretation is included here beyond those quoted and listed facts. The material presented above reflects only the reporting and the quoted observation as provided.
AI-generated bug reports have significantly increased low-quality submissions and false reports across bug bounty programs, creating operational challenges for platforms and companies that must process large volumes of low-value entries. Several organisations have adjusted or suspended paid bounty programs while seeking more reliable methods to filter out low-effort and fake reports, and some have said they hope to restart programs once effective filtering is found.
