AI is making vulnerability discovery faster, cheaper, and harder to manage, which means the real test now is how quickly companies can verify and fix what gets found.
The bug bounty world is being pulled into the AI era whether it is ready or not. Security researchers are using models to scan more code, build better test cases, and find exploitable weaknesses at a pace that old disclosure systems were never designed to handle. Attackers can use the same tools, which turns a useful productivity gain into a race against time.
As WIRED reported on May 25, the search for software flaws is changing quickly as agentic AI systems become better at both finding vulnerabilities and helping develop exploits. That matters because bug hunting is no longer just a specialist craft moving at human speed. It is becoming a scaled workflow, where a capable researcher can test more targets, produce more reports, and put more pressure on every company receiving those findings.
The pressure is already showing up in the numbers. HackerOne said vulnerability submissions on its platform reached a record high in March 2026, up 76% year over year, while the valid, exploitable share stayed near 25%. That is the uncomfortable part. If the signal rate is steady while the volume rises, security teams are not just drowning in nonsense. They are also receiving many more real issues than before.
Bug bounty platforms are now trying to separate useful AI-assisted research from mass-produced guesswork. Bugcrowd said in March that its queues had increased by more than 334% over three weeks even after excluding legitimate traditional reports, and it blamed much of the surge on speculative AI submissions with thin evidence and little validation. By May, the company had added bans for submission farming, mandatory identity verification for managed bounty programs, throttling for low-performing accounts, and CAPTCHA checks before submission.
That is not just administrative cleanup. It is a sign that the old model of open intake is under strain. A bug bounty only works if researchers can submit findings and companies can trust that the queue is worth attention. When AI makes it cheap to send weak reports at scale, the bottleneck moves from discovery to judgment. Someone still has to reproduce the issue, rank the risk, assign ownership, and confirm the fix.
Open source maintainers have felt this first because they often have the least spare capacity. Curl ended its HackerOne bug bounty program at the end of January 2026 after a wave of low-quality AI-generated reports, although founder Daniel Stenberg later said the project had stopped seeing AI slop and was instead receiving more strong AI-assisted security reports. Linux has also had to adjust. Linus Torvalds said in May that duplicate AI-generated vulnerability reports had made the private Linux security mailing list almost entirely unmanageable, and new kernel guidance now treats AI-found bugs as public reports that should go to the relevant maintainers with a verified reproducer.
Startups cannot treat this as background noise
For startups, the lesson is simple. AI does not care that the security team is small, the roadmap is packed, or the company is still chasing product-market fit. Cloud services, APIs, authentication flows, CI pipelines, and open source dependencies are all easier to inspect at scale. A weakness that might once have sat quietly for months can now be surfaced by a researcher, a customer, a competitor, or a criminal using similar tooling.
This changes how founders should think about security budgets. Buying another scanner is not enough if nobody can handle the output. The budget has to cover triage, remediation, regression testing, and engineering time to remove whole classes of bugs. HackerOne has warned that remediation is not keeping pace with discovery, even as some teams fix individual critical issues faster. That is the real exposure debt: not the number of flaws found, but the number left unresolved while discovery keeps accelerating.
The better companies will use AI on both sides of the ledger. They will let researchers and internal teams find more issues, but they will also use automation to deduplicate reports, draft fixes, test patches, and identify recurring patterns in their codebase. The weaker companies will mistake more visibility for more security, then wonder why the backlog keeps growing.
Bug hunting is not going away. It is becoming faster, noisier, and more expensive to ignore. The next advantage will not belong only to the team that finds the most vulnerabilities. It will belong to the team that can turn a flood of findings into verified fixes before attackers turn the same knowledge into leverage.
Also read: TSMC workers are testing the price of the AI chip boom • Washington’s quantum bet faces a legal test over equity stakes • SoftBank is turning AI euphoria into retail debt capital
