Bug bounty platforms are drowning in AI-generated vulnerability reports. Daniel Stenberg, creator of the curl library, called the flood "never-ending slop" that's taken a serious mental toll to debunk. Nextcloud suspended its bug bounty program in April after a massive spike in low-quality submissions, and the problem is getting worse as Anthropic's Mythos cyber AI model enters the market promising faster flaw detection than humans.

HackerOne, which serves clients like Goldman Sachs and the US Department of Defense, saw submissions jump 76 percent year over year through March. Despite the surge, the share of reports identifying real vulnerabilities held steady at 25 percent. The company introduced agentic validation capabilities this year to help organizations manage the deluge, while Bugcrowd's Dave Gerry argues AI tools like Mythos will assist hunters rather than replace the human creativity that uncovers novel bugs.

The industry response is mixed. Companies are layering stricter background checks and automated triage systems on top of existing programs. HackerOne CEO Kara Sprague acknowledged a recent uptick in higher-quality AI-assisted reports but emphasized the flood isn't reason enough to reject the technology outright. The real challenge is filtering signal from noise fast enough to keep these programs functional.