Corporate bug bounty programs are buckling under an avalanche of AI-generated vulnerability reports, forcing companies to suspend payments entirely. Bugcrowd reported submissions more than quadrupled in just three weeks during March, with most proving worthless. The surge represents a fundamental shift in cybersecurity economics, as generative AI tools lower barriers for both legitimate researchers and opportunistic submitters.

Curl terminated its paid bounty program in January, while Nextcloud followed in April, citing "never-ending slop" that required significant mental effort to debunk. These programs once promised substantial rewards—Google disbursed $17 million last year, up from $7.5 million in 2021. However, the signal-to-noise ratio has collapsed, with HackerOne reporting only 25% of submissions flag legitimate vulnerabilities despite a 76% volume increase.

Companies are racing to implement AI-powered triage systems to filter submissions. HackerOne introduced new validation capabilities, while platforms debate whether tools like Anthropic's Mythos represent threat or opportunity. The cybersecurity industry faces a paradox: AI accelerates vulnerability discovery while simultaneously drowning programs in fraudulent claims.

The market is adapting through stricter verification processes and hybrid human-AI workflows. Bug bounty economics are fundamentally changing—programs that once relied on human judgment now require sophisticated filtering to remain viable. Companies must balance accessibility for legitimate researchers against the flood of automated submissions that threaten program sustainability.