AI drives surge in ‘bug bounty’ reports, but the ‘slop’ is rising too

HackerOne, a leading platform in the bug bounty sector, has revealed a notable uptick in valid submissions, reporting 85,000 valid bounty reports in 2025–an increase of 7% from the previous year. This surge can be largely attributed to the integration of artificial intelligence (AI) tools that enhance the ability of security researchers to identify vulnerabilities. While the increase in valid submissions is encouraging, the platform has also noted a rise in what it describes as "slop"–lower-quality submissions that may not meet the rigorous standards expected by organizations looking to safeguard their systems.

To understand the significance of this trend, it’s crucial to consider the growing reliance on digital infrastructure across industries. As more businesses undergo digital transformations, the need for robust cybersecurity measures has intensified. Bug bounty programs, which incentivize ethical hackers to report vulnerabilities, have become critical in identifying and mitigating potential threats before they can be exploited. The rise in valid submissions indicates a more proactive stance towards security, supported by advancements in AI that facilitate quicker and more accurate assessments of software and web applications.

The implications of this increase for the market are multifaceted. On one hand, the rise in valid reports suggests that organizations are becoming more diligent in addressing vulnerabilities, potentially leading to a more secure digital landscape. On the other hand, the simultaneous rise in lower-quality submissions may create challenges for companies sifting through the noise to find actionable insights. This duality could result in increased operational costs and resource allocation as firms work to separate valuable reports from less relevant ones.

Industry experts have weighed in on these developments, noting that while the utilization of AI in bug hunting is beneficial, it is essential for researchers to maintain high standards in reporting. The growing concern over "slop" has prompted discussions about establishing clearer guidelines and better training for participants in bug bounty programs. Some experts advocate for the implementation of AI-driven tools that could assist in filtering submissions, ensuring that only the most pertinent vulnerabilities are brought to the attention of companies.

Looking ahead, the bug bounty landscape is likely to continue evolving as AI technologies advance. As organizations become more adept at leveraging AI for cybersecurity, we may see further improvements in the quality of valid submissions. However, ongoing education and refinement of the bug bounty process will be critical to mitigating the challenges posed by lower-quality reports. The conversation surrounding these issues will undoubtedly shape the future of cybersecurity efforts and the overall effectiveness of bug bounty programs in the years to come.