Crypto projects report a surge of automated, low-quality bug bounty submissions as AI tools make it easier to generate reports — many of them false positives. Teams that run bounty programs say the influx is creating a heavy triage burden as maintainers sort genuine vulnerabilities from noise.
Cosmos Labs co-CEO Barry Plunkett said the protocol’s bounty program has seen roughly a 900% year-over-year jump in submissions, now receiving about 20–50 reports per day. While that volume has produced more legitimate findings, Plunkett said it has also brought many invalid reports that consume scarce engineering time.
Kadan Stadelmann, CTO of Komodo Platform, confirmed a noticeable rise in both submissions and payouts across organizations and flagged a growing share of low-quality reports and false positives that suggest AI-assisted sourcing. “AI has caused a decrease in the cost to produce a report, resulting in an influx of submissions,” he said.
Open-source maintainer Daniel Stenberg, creator of curl, cited a similar problem in January when he ended his bug bounty program because he was overwhelmed by what he described as “AI slop in vulnerability reports,” leaving him exhausted from triage.
At the same time, firms that manage bounties report more valid disclosures. HackerOne recorded 85,000 valid submissions in 2025, a 7% rise year-over-year, indicating that the total of useful reports has grown alongside the noise.
Many teams now view AI as both the cause and part of the remedy. Cosmos Labs has tightened scoring rules, prioritized researchers with established track records, and moved to bounty providers offering more advanced triage services. Stadelmann urged wider adoption of defensive AI tools to help automate initial filtering and reduce manual workload.
Smaller projects are particularly exposed because they lack the bandwidth to manually vet every claim. Recommended measures include raising submission standards, implementing automated pre-screening, rewarding trusted reporters more heavily, and deploying AI-based deterrents to discourage mass, low-quality submissions.
This coverage follows Cointelegraph’s editorial standards and aims to be accurate and timely; readers are encouraged to verify details independently.