HackerOne Stops Bug Bounty Program Over AI Risks

Discovery used to be the bottleneck for open source bugs, but with automated discovery, remediation’s the bottleneck, which bounties don’t fund.

HackerOne has announced a temporary suspension of new vulnerability submissions to its Internet Bug Bounty (IBB) program, highlighting a growing imbalance between vulnerability discovery and remediation capacity across the cybersecurity ecosystem. The decision, effective March 27, reflects mounting pressure on open source maintainers as AI-assisted bug hunting accelerates the volume of reported vulnerabilities beyond what teams can realistically address.

The IBB program, launched in 2013, has long been a cornerstone of the open source security community, incentivizing researchers to identify and report vulnerabilities in widely used software. However, HackerOne stated that the rapid evolution of AI-driven discovery tools has fundamentally shifted the landscape, increasing both the speed and scale of vulnerability identification, while remediation capabilities have lagged behind.

According to HackerOne, the industry is now facing a “signal versus noise” challenge, where the surge in reported vulnerabilities is not always matched by actionable or high-quality findings. This imbalance has made it increasingly difficult for maintainers to prioritize and resolve issues effectively, prompting the company to pause submissions and reassess the structure of its crowdsourced security programs.

The impact of this decision has extended to the broader open source ecosystem. The Node.js project, which relied on funding from HackerOne’s program, has also paused its bug bounty initiative, citing the lack of independent resources to sustain such efforts. As a volunteer-driven project, Node.js faces significant constraints in managing the growing influx of vulnerability reports without external support.

Ensar Seker, Chief Information Security Officer at SOCRadar, described the move as a necessary adjustment to evolving industry dynamics. He noted that while AI has industrialized vulnerability discovery, remediation efforts have not scaled at the same pace, creating a bottleneck that places overwhelming pressure on maintainers.

John Morello, Co-founder and Chief Technology Officer at Minimus, emphasized the declining quality of submissions, pointing out that AI-generated reports have significantly reduced the ratio of valid findings. He explained that triage teams are now burdened with filtering large volumes of non-exploitable or low-impact vulnerabilities, leading to what many describe as “triage fatigue.”

HackerOne indicated that its focus moving forward will be on aligning vulnerability discovery more closely with effective remediation. The company plans to collaborate with maintainers and researchers to explore new models that prioritize meaningful findings and ensure that reported vulnerabilities translate into tangible security improvements.

Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, characterized the pause as a wake-up call for the industry. He highlighted that while AI has successfully accelerated vulnerability discovery, the human effort required to validate and fix these issues remains a critical challenge. According to Ford, future vulnerability programs may need to shift incentives toward rewarding not just discovery, but also remediation and patch development.

David Hayes, Vice President of Product at FusionAuth, echoed concerns about the sustainability of current bug bounty models. He noted that programs designed around human-paced research are now struggling to keep up with AI-driven discovery, leading to faster depletion of resources without corresponding improvements in remediation capacity.

HackerOne’s decision underscores a broader transformation in cybersecurity, where the balance between finding and fixing vulnerabilities is being redefined. As AI continues to reshape the threat and discovery landscape, organizations are being pushed to rethink how they allocate resources, structure incentives, and support the maintainers who play a critical role in securing the open source ecosystem.

Recommended Cyber Technology News :

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com

🔒 Login or Register to continue reading

Tags: AI, AI Risk, bug bounty, Cybersecurity, cybersecurity ecosystem, vulnerability

CyberTech Media Room

CyberTech Media Room is the editorial intelligence arm of CyberTech Insights, focused on delivering high-impact narratives at the intersection of cybersecurity, data infrastructure, AI systems, and enterprise risk. Built for decision-makers, analysts, and technology leaders, the CyberTech Media Room translates complex security developments into structured, actionable intelligence. Its coverage spans threat landscapes, regulatory shifts, cyber resilience frameworks, and emerging technologies shaping modern enterprise defense. The editorial approach is grounded in three principles: Signal over noise — prioritizing relevance, depth, and strategic clarity over volume Intelligence-led storytelling — combining data, expert perspectives, and market context Decision utility — ensuring every piece contributes to informed business or technology outcomes CyberTech Media Room collaborates with industry practitioners, researchers, and enterprise leaders to surface insights that matter—from boardroom-level risk considerations to operational security strategies. Positioned beyond traditional media, it operates as a strategic intelligence layer for organizations navigating an increasingly complex and adversarial digital environment.