HackerOne Slashes Bug Bounty Payouts, Citing AI-Driven Report Floods

HackerOne has drastically cut its bug bounty payouts, with critical vulnerability rewards dropping from $9,250 to $2,257 and high-severity bounties from $4,429 to $1,009. Even low-severity findings saw a reduction from $597 to $68. This move, as highlighted by LΣҒΔ𝕽ΩLL 🇮🇱, significantly reduces the financial incentive for researchers, especially those focused on open-source vulnerabilities.

LΣҒΔ𝕽ΩLL 🇮🇱 attributes these cuts primarily to the overwhelming influx of bug reports, many of which are generated or heavily assisted by AI, specifically Large Language Models (LLMs). This surge includes a significant volume of low-quality, often hallucinated, reports that still require manual review and validation by maintainers. The result is a critical bottleneck: more submissions, less human capacity to triage, and ultimately, a reduced budget for legitimate findings.

For defenders, this shift impacts the cybersecurity ecosystem. While AI can certainly aid in vulnerability discovery, the current scenario, as LΣҒΔ𝕽ΩLL 🇮🇱 notes, is creating friction. It disincentivizes serious researchers and could reduce the overall quality of community-driven vulnerability disclosures, potentially leaving critical issues unaddressed longer in open-source projects. CISOs should recognize that the economic model for external vulnerability discovery is evolving rapidly.