AI slop and fake reports are exhausting some security bug bounties

In recent years, the internet has witnessed an influx of low-quality content generated by large language models (LLMs), commonly referred to as 'AI slop.' This phenomenon is permeating various sectors, including cybersecurity, where it is causing significant challenges for professionals working in bug bounty programs. Experts in the cybersecurity field have expressed growing concerns about the prevalence of misleading bug reports generated by AI. These reports often falsely claim to identify vulnerabilities, crafted to appear legitimate but ultimately lacking any factual basis. Vlad Ionescu, co-founder and CTO of RunSybil, emphasized the confusion this causes, stating, "Reports can look technically sound at first glance, but upon closer inspection, they may simply be fabrications by the AI." Ionescu pointed out that LLMs are designed to produce helpful responses, which can lead to users submitting these AI-generated reports directly to bug bounty platforms. This inundation of misleading submissions creates a frustrating scenario for both the platforms and the companies involved, as they must sift through what may appear as credible reports but are, in fact, just noise. Real-world instances of this issue have emerged. For example, security researcher Harry Sintonen recently highlighted a case involving the open-source security project Curl, which received a bogus report. He noted, "Curl can detect AI slop from a distance," indicating that the project is equipped to handle such misleading claims. Similarly, Benjamin Piouffle of Open Collective admitted that their team is overwhelmed by low-quality AI submissions. The situation has prompted some developers to take drastic measures; one developer even withdrew their bug bounty program entirely after being inundated with AI-generated reports. The leading bug bounty platforms, acting as intermediaries between security researchers and companies, are also feeling the strain as they face a surge in AI-generated submissions. Companies like HackerOne are addressing these challenges by developing AI-assisted systems to help filter and prioritize genuine reports. Michiel Prins, co-founder of HackerOne, noted an uptick in false positives, which complicates the efficiency of security programs. He explained that submissions filled with spurious vulnerabilities are increasingly being treated as spam. Meanwhile, although Bugcrowd reports an increase in submissions overall, founder Casey Ellis indicated that the impact of AI on the quality of reports has not yet reached a critical level. However, he anticipates that this could change in the future, leading to a growing number of low-quality submissions. As the lines blur between human and AI-generated content, industry leaders are exploring solutions to mitigate the effects of this AI slop. Ionescu suggests that ongoing investment in AI systems capable of preliminary reviews will be essential. Recently, HackerOne introduced a new triaging system that combines human expertise with AI capabilities to effectively manage the influx of reports, demonstrating a proactive approach to this emerging challenge in cybersecurity.