AI slop and fake reports are exhausting some security bug bounties
The world of cybersecurity is not immune to this problem, either. In the last year, people across the cybersecurity industry have raised concerns about AI slop bug bounty reports, meaning reports that claim to have found vulnerabilities that do not actually exist, because they were created with a large language model that simply made up the vulnerability, and then packaged it into a professional-looking writeup.
'People are receiving reports that sound reasonable, they look technically correct. And then you end up digging into them, trying to figure out, 'oh no, where is this vulnerability?',' Vlad Ionescu, the co-founder and CTO of RunSybil, a startup that develops AI-powered bug hunters, told TechCrunch.
'It turns out it was just a hallucination all along. The technical details were just made up by the LLM,' said Ionescu.
Ionescu, who used to work at Meta's red team tasked with hacking the company from the inside, explained that one of the issues is that LLMs are designed to be helpful and give positive responses. 'If you ask it for a report, it's going to give you a report. And then people will copy and paste these into the bug bounty platforms and overwhelm the platforms themselves, overwhelm the customers, and you get into this frustrating situation,' said Ionescu.
'That's the problem people are running into, is we're getting a lot of stuff that looks like gold, but it's actually just crap,' said Ionescu.
Just in the last year, there have been real-world examples of this. Harry Sintonen, a security researcher, revealed that the open source security project Curl received a fake report. 'The attacker miscalculated badly,' Sintonen wrote in a post on Mastodon. 'Curl can smell AI slop from miles away.'
In response to Sitonen's post, Benjamin Piouffle of Open Collective, a tech platform for nonprofits, said that they have the same problem: that their inbox is 'flooded with AI garbage.'
One open-source developer, who maintains the CycloneDX project on GitHub, pulled their bug bounty down entirely earlier this year after receiving 'almost entirely AI slop reports.'
The leading bug bounty platforms, which essentially work as intermediaries between bug bounty hackers and companies who are willing to pay and reward them for finding flaws in their products and software, are also seeing a spike in AI-generated reports, TechCrunch has learned.
Contact Us Do you have more information about how AI is impacting the cybersecurity industry? We'd love to hear from you. From a non-work device and network, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or
Do you have more information about how AI is impacting the cybersecurity industry? We'd love to hear from you. From a non-work device and network, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email .
Michiel Prins, the co-founder and senior director of product management at HackerOne, told TechCrunch that the company has encountered some AI slop.
'We've also seen a rise in false positives — vulnerabilities that appear real but are generated by LLMs and lack real-world impact,' said Prins. 'These low-signal submissions can create noise that undermines the efficiency of security programs.'
Prins added that reports that contain 'hallucinated vulnerabilities, vague technical content, or other forms of low-effort noise are treated as spam.'
Casey Ellis, the founder of Bugcrowd, said that there are definitely researchers who use AI to find bugs and write the reports that they then submit to the company. Ellis said they are seeing an overall increase of 500 submissions per week.
'AI is widely used in most submissions, but it hasn't yet caused a significant spike in low-quality 'slop' reports,' Ellis told TechCrunch. 'This'll probably escalate in the future, but it's not here yet.'
Ellis said that the Bugcrowd team who analyze submissions review the reports manually using established playbooks and workflows, as well as with machine learning and AI 'assistance.'
To see if other companies, including those who run their own bug bounty programs, are also receiving an increase in invalid reports or reports containing non-existent vulnerabilities hallucinated by LLMs, TechCrunch contacted Google, Meta, Microsoft, and Mozilla.
Damiano DeMonte, a spokesperson for Mozilla, which develops the Firefox browser, said that the company has 'not seen a substantial increase in invalid or low quality bug reports that would appear to be AI-generated,' and the rejection rate of reports — meaning how many reports get flagged as invalid — has remained steady at 5 or 6 reports per month, or less than 10% of all monthly reports.
Mozilla's employees who review bug reports for Firefox don't use AI to filter reports, as it would likely be difficult to do so without the risk of rejecting a legitimate bug report,' DeMonte said in an email.
Microsoft and Meta, companies that have both bet heavily on AI, declined to comment. Google did not respond to a request for comment.
Ionescu predicts that one of the solutions to the problem of rising AI slop will be to keep investing in AI-powered systems that can at least perform a preliminary review and filter submissions for accuracy.
In fact, on Tuesday, HackerOne launched Hai Triage, a new triaging system that combines humans and AI. According to HackerOne spokesperson Randy Walker, this new system leveraging 'AI security agents to cut through noise, flag duplicates, and prioritize real threats.' Human analysts then step in to validate the bug reports and escalate as needed.
As hackers increasingly use LLMs and companies rely on AI to triage those reports, it remains to be seen which of the two AIs will prevail.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Yahoo
2 minutes ago
- Yahoo
Search Monetization Slips: Why Baidu's (BIDU) AI Is a Double-Edged Sword
Baidu, Inc. (NASDAQ:BIDU) is one of the AI Stocks Investors Should Keep an Eye On. On July 30, Tiger Securities maintained Buy on the stock and cut the price target to $100.00 (from $110.00). The price target cut follows the firm's downward revision of Baidu's revenue and profit estimates driven by AI-driven drags from search monetization. According to the firm, there have been challenges with monetizing AI-generated search results. These now account for an estimated 50% of total queries. 'We are maintaining our BUY rating but lowering PT to $100 (from $110) as we revise down our revenue and profit estimates to reflect the ongoing drag from AI-driven changes in search monetization. AI-generated search results now account for approximately 50% of total queries, up from 35% in April, while the monetization model remains in the testing phase. Additionally, the consolidation of YY is expected to weigh on BIDU's advertising revenue, as YY was previously one of BIDU's top advertising clients. As a result, we are lowering our 2025 ad revenue forecasts." A modern internet space with a person using Baidu services on a laptop. "Given that advertising is BIDU's primary profit driver, we are also revising down our profit estimates. Specifically, we now expect core advertising revenue to decline 18% y/y in 2Q and 3Q, with core non-GAAP operating income down 45% and 44% y/y, respectively. On a more positive note, we are maintain our forecast of +25% year-over-year growth in 2Q cloud revenue, and we are raising our estimate for other revenue to reflect the consolidation of YY'. Baidu, Inc. (NASDAQ:BIDU) is a Chinese internet giant and AI pioneer, known for its noteworthy investments in artificial intelligence technology and its position as the dominant search engine within the country. While we acknowledge the potential of BIDU as an investment, we believe certain AI stocks offer greater upside potential and carry less downside risk. If you're looking for an extremely undervalued AI stock that also stands to benefit significantly from Trump-era tariffs and the onshoring trend, see our free report on the best short-term AI stock. READ NEXT: 10 Must-Watch AI Stocks on Wall Street and Disclosure: None. Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
Yahoo
2 minutes ago
- Yahoo
Qualcomm's (QCOM) Strong Q3 Performance Shows Resilience—But Apple's Exit Could Hurt
QUALCOMM Incorporated (NASDAQ:QCOM) is one of the AI Stocks Investors Should Keep an Eye On. On July 31, Qualcomm reported fiscal third-quarter earnings, beating Wall Street expectations. The company reported adjusted earnings per share of $2.77, surpassing the LSEG consensus estimate of $2.71. Revenue for the quarter came in at $10.37 billion, ahead of the expected $10.35 billion. Looking ahead, the company's revenue guidance for Q3 CY2025 is $10.7 billion at the midpoint, above analyst estimates of $10.61 billion. Adjusted EPS guidance is $2.85 at the midpoint, above analyst estimates of $2.82. A financial analyst reviewing multitudes of digital evidence on a large monitor. However, the reliance on high-end smartphone chip sales and the likelihood of losing Apple as a customer for its modem business in the coming years drove down the optimistic quarterly forecast for the modem chips supplier. The company has warned that when Apple goes away, it will impact its chip segment revenue. Qualcomm reported that its chip segment revenue from non-Apple customers has climbed more than 15% so far. According to William McGonigle, analyst at Third Bridge, the chip segment sales increase, excluding Apple, 'is largely driven by ASP (average selling price) uplift from flagship Android launches rather than broad-based volume recovery.' QUALCOMM Incorporated (NASDAQ:QCOM) develops wireless technologies, supplies chips for mobile, automotive, and IoT, licenses patents, and invests in emerging tech. While we acknowledge the potential of QCOM as an investment, we believe certain AI stocks offer greater upside potential and carry less downside risk. If you're looking for an extremely undervalued AI stock that also stands to benefit significantly from Trump-era tariffs and the onshoring trend, see our free report on the best short-term AI stock. READ NEXT: 10 Must-Watch AI Stocks on Wall Street and Disclosure: None. Sign in to access your portfolio
Yahoo
2 minutes ago
- Yahoo
Vertiv (VRT) Gets Price Target Boosts from Barclays and Oppenheimer
Vertiv Holdings Co (NYSE:VRT) is one of the . On July 31, Barclays analyst Julian Mitchell raised its price target for the stock from $110 to $128 while maintaining an 'Equal Weight' rating. The rating affirmation follows Vertiv's earnings report that has boosted confidence in its sales targets for 2026. The analysts also talked about how Vertiv's operating leverage is rebounding. A data analyst pouring over a chart, the intricacies of its lines being revealed. In other news, Oppenheimer analyst Noah Kaye raised the price target on Vertiv to $151 from $140, while maintaining an 'Outperform' rating. Vertiv Holdings Co (NYSE:VRT) is a global provider of digital infrastructure technology and services for data centers, communication networks, and commercial and industrial facilities. While we acknowledge the potential of VRT as an investment, we believe certain AI stocks offer greater upside potential and carry less downside risk. If you're looking for an extremely undervalued AI stock that also stands to benefit significantly from Trump-era tariffs and the onshoring trend, see our free report on the best short-term AI stock. READ NEXT: 10 Must-Watch AI Stocks on Wall Street and Disclosure: None. Sign in to access your portfolio
