The rapid adoption of artificial intelligence for vulnerability research has triggered an unprecedented deluge of low-quality security reports, overwhelming software maintainers and forcing platforms to implement stricter submission guidelines. The issue, widely discussed in security circles, threatens the efficiency of bug bounty programs and the sustainability of open source maintenance.

The Scale of the Problem

Linus Torvalds, the founder of the Linux kernel, recently described the situation as almost entirely unmanageable. In his notes accompanying the latest kernel release candidate, Torvalds highlighted massive duplication: If you found a bug using AI tools, the chances are somebody else found it too. He urged researchers to add value by creating patches or reading documentation, rather than sending a random report with no real understanding.

The problem is not limited to Linux. Across the industry, bug bounty platforms and vulnerability disclosure programs report a sharp increase in submissions that lack proof-of-concept, rely on theoretical attack scenarios, or duplicate known issues. These reports consume significant triage time, diverting maintainers from fixing genuine vulnerabilities.

GitHub's Response

Jarom Brown, Senior Product Security Engineer at GitHub, acknowledged the challenge in a recent statement. He noted that while lowering the barrier to entry for security research is welcome, the sheer volume of AI-generated submissions that fail to demonstrate real security impact is unsustainable. GitHub now requires submitters to validate AI-assisted findings before submitting, and a complete submission must include a working proof-of-concept showing exploitation potential and concrete security impact. Reports falling into known ineligible categories will be closed as Not Applicable, potentially affecting a researcher's HackerOne Signal and reputation.

Brown also urged researchers to be concise, warning that bloated, AI-padded reports slow down triage and waste everyone’s time.

Collateral Damage on the Researcher Community

Shubham Shah, co-founder of Assetnote and a respected security researcher, warns that the noise is eroding trust in bug bounty programs. Organizations are taking longer to review legitimate reports, breaking the feedback loop that keeps top researchers engaged. The joy of reporting vulnerabilities to bug bounties is quickly dissipating, Shah said. He noted that while platforms like HackerOne and Bugcrowd are attempting to filter spam with AI and added controls, many experienced researchers may retreat to private vulnerability research and invite-only bounties.

This trend could lead to fewer high-quality discoveries being shared publicly, ultimately reducing overall security for the ecosystem.

Open Source Under Pressure

The impact is most acute on open source projects, which rely on volunteer maintainers with limited time. Unlike large corporations like Microsoft or Google, small projects cannot absorb the overhead of processing hundreds of junk reports each week. The cURL project, led by Daniel Stenberg, serves as a case study. In early 2026, cURL stopped accepting HackerOne submissions and eliminated monetary rewards for security reports, hoping to remove the incentive for AI slop.

Initially, cURL switched to receiving reports via GitHub or email, but found those channels less effective. It returned to HackerOne after about a month, but retained the decision to offer no bounties. Stenberg reported that after eliminating bounties, the slop situation is not a problem anymore. Instead, the number of reports rose, quality improved, and the rate of confirmed vulnerabilities surpassed 2024 pre-AI levels. However, Stenberg warned that the increased influx of good reports could still overwhelm maintainers: This avalanche is going to make maintainer overload even worse. Some projects will have a hard time to handle this kind of backlog expansion without any added maintainers to help.

HackerOne's Perspective

HackerOne acknowledged the problem AI slop poses for under-resourced organizations. Michiel Prins, Co-founder and Senior Director of Product Management, advised customers to refine scope and submission guidelines, use AI-assisted triage tools, and pair automation with human oversight. As AI makes it easier to automate submissions, preserving signal quality becomes critical so open source maintainers can stay focused on fixing real issues, Prins said.

Industry Initiatives

The Open Source Security Foundation (OpenSSF) Vulnerability Disclosures Working Group is gathering community feedback to help maintainers tackle AI-generated junk reports. Their goals include compiling best practices, creating policy templates, and developing guidance to identify and handle AI-assisted submissions.

While the immediate challenge is filtering noise, the long-term implications are profound. If maintainers become desensitized to reports, or if experienced researchers disengage, the security of the entire software supply chain could suffer. The industry must find a balance between leveraging AI for discovery and ensuring that human expertise remains central to validation and remediation.

Source: Help Net Security News