AI-Driven Bug Bounty Surge, But the Threat of 'Slop' is Rising

The bug bounty industry is currently facing a 'paradox of plenty.' While the proliferation of generative AI tools has pushed vulnerability report numbers to record highs, a surge in low-value 'slop' data is simultaneously threatening security teams. This phenomenon is drastically increasing the cost and time required for security experts to identify valid threats.

The bug bounty industry is facing a paradox of plenty. AI tools have driven submissions to record levels, but they have also triggered a flood of 'slop' that threatens to drown security teams in low-value noise.

According to data from HackerOne, one of the world's largest bug bounty platforms, valid bounty submissions reached 85,000 in 2025. This is an approximately 7% increase from 79,439 in the previous year, 2024. This growth is analyzed to be primarily driven by the spread of AI-powered vulnerability detection tools, demonstrating that the market is expanding at an unprecedented pace.

The Spread of AI Optimism and Shifting Perceptions

A report from Bugcrowd shows how rapidly perceptions of AI have changed among hackers. In 2023, only 21% of hackers believed that the value of AI in hacking would increase, but this figure skyrocketed to 71% in 2024. This suggests that security researchers are integrating AI into their workflows at a very fast pace.

• Unproven reports related to SSL/TLS encryption
• Reports of missing HTTP headers without an actionable Proof of Concept (PoC)
• Simple listings of server error messages
• Spammy attack attempts related to email protocols

In the security industry, 'slop' refers to low-quality security reports generated by AI, which is the primary culprit in worsening the signal-to-noise ratio. Since many AI-generated reports list only theoretical vulnerabilities without a working Proof of Concept (PoC), security teams are consuming massive resources to review and filter them individually. This ultimately has the side effect of slowing down the processing of valid vulnerabilities.

However, the speed of AI has not yet fully replaced human creativity. According to the Bugcrowd survey, only 22% of respondents believed that AI performs better than human hackers, and the percentage who believed AI could replicate human creativity remained at around 30%. This implies that human intelligence still plays a core role in the domain of complex and original vulnerability detection.

According to an analysis by Imperva, the introduction of AI paradoxically creates a need for more security engineers per discovered vulnerability. This is because human intervention is essential in the processes of reproduction and impact assessment for AI-generated outputs. Companies are now in a position where they must allocate additional budget for AI-assisted red teaming and the construction of dedicated pipelines for processing findings.

To respond to these challenges, platforms are seeking a 'defensive evolution' by using AI to block the noise created by AI. Microsoft researchers have even proposed the 'Triangle' framework, which utilizes multiple LLM agents to automate incident triage. This is interpreted as an attempt to introduce sophisticated automation tools starting from the triage stage to manage the exploding volume of reports.

Ultimately, generative AI has brought a double-edged sword of quantitative expansion and qualitative degradation to the bug bounty ecosystem. Security experts emphasize that rather than unconditionally trusting AI-generated policies or reports, a new trust model must be established that places a strict verification layer between generation and execution. Finding the point where human creativity and AI efficiency harmonize is expected to be a key challenge for the future security market.