AI-Led Remediation Crisis Prompts HackerOne to Pause Bug Bounties

APPLICATION SECURITY VULNERABILITIES & THREATS THREAT INTELLIGENCE NEWS AI-Led Remediation Crisis Prompts HackerOne to Pause Bug Bounties Discovery used to be the bottleneck for open source bugs, but with automated discovery, remediation's the bottleneck, which bounties don't fund. Jai Vijayan,Contributing Writer April 8, 2026 4 Min Read SOURCE: HLIB SHABASHNYI VIA SHUTTERSTOCK A recent decision by HackerOne to suspend new vulnerability submissions to its crowdsourced Internet Bug Bounty (IBB) program has spotlighted the growing remediation challenges across the industry, driven by the rapid advancement of AI-assisted bug hunting and discovery. Launched in 2013, the IBB is widely regarded as one of the open source community's most important vulnerability reward programs. Effective March 27, the program paused accepting new vulnerability submissions because of what HackerOne described as a worsening imbalance between vulnerability discoveries and the ability for open source maintainers to remediate them. 'Signal Versus Noise' "The discovery landscape is changing. AI-assisted research is expanding vulnerability discovery across the ecosystem, increasing both coverage and speed," HackerOne announced. "The balance between findings and remediation capacity in open source has substantively shifted," and requires a rethink of the structure and incentives of crowdsourced programs like IBB, it said. Related:Grafana Patches AI Bug That Could Have Leaked User Data Following HackerOne's decision, the maintainers of the open source Node.js project paused their own bug bounty program, citing a loss of funding previously available via HackerOne. "As a volunteer-driven open-source project, Node.js does not have an independent budget to sustain a bounty program on its own," the maintainers explained.  Several security experts perceived the announcements as significant but not unexpected, given the rapid growth of AI-assisted vulnerability discovery. "This is a rational, even overdue correction to how bug bounty ecosystems operate under AI pressure," says Ensar Seker, chief information security officer (CISO) at SOCRadar. "HackerOne is essentially acknowledging that the bottleneck has shifted: discovery has been industrialized by AI, but remediation capacity has not scaled accordingly," he says. When AI can generate thousands of low- to medium-quality findings in a matter of hours, the maintainers of open source projects, who are often volunteers with limited funding, can easily get overwhelmed. "So yes, [HackerOne] absolutely have a point that this is not a retreat from security, it’s an attempt to rebalance signal versus noise." AI-Generated Slop John Morello, co-founder and chief technology officer (CTO) of Minimus, says valid submissions dropped from roughly 15%, to below 5%, as AI-generated "slop" floods the gates. "AI-assisted hunting hasn't necessarily found more critical zero-days; instead, it's shifted the bottleneck entirely to validation, forcing triage teams to wade through thousands of plausible-sounding but non-exploitable reports," he says. Related:AI-Assisted Supply Chain Attack Targets GitHub For open source project maintainers, "triage fatigue" has become the biggest challenge where they are losing hours of development time just to disprove hallucinated vulnerabilities. "The current bounty model unfortunately rewards quantity over depth, effectively weaponizing unpaid labor and forcing these small teams to act as a free [quality assurance] department for every automated scanner on the planet," Morello says. HackerOne said its focus now is on finding new ways to meet its original objectives of aligning vulnerability discovery with effective remediation "so that meaningful findings lead to durable security improvements in open source projects." To that end, HackerOne will work with project maintainers and researchers to evaluate approaches that better align incentives with the realities of the open source ecosystem. Trey Ford, chief strategy and trust officer at Bugcrowd, which also operates a crowdsourced vulnerability discovery platform, perceives HackerOne's decision as a wakeup call. "Let's be clear about what this pause actually signals: the industry spent years optimizing the wrong end of the pipeline," he says. AI has done exactly what it was supposed to do in terms of compressing the time required to find vulnerabilities. "What we have not yet solved is the human side of the equation: the maintainer who receives 40 valid reports and has one weekend to respond," Ford says. Related:OWASP GenAI Security Project Gets Update, New Tools Matrix Discovery's Funded, Remediation Isn't What's required now are greater investments in remediation capacity with the same urgency as has been put into discovery. "The economics of research and disclosure are shifting. AI lowers the barrier to finding, which means raw volume is no longer a competitive advantage for researchers," Ford notes. The premium increasingly will move toward complex logic flaws and novel attack chains that require human depth and contextual judgment that machines cannot replicate. "The next generation of vulnerability programs may offer bonuses to researchers for bringing fixes, not just reporting vulnerabilities, and create shared pools that fund both the researcher who finds and the maintainer team that ships the patch." Remediation is not the only challenge. As David Hayes, VP of product at FusionAuth notes, bug bounty programs designed around human-paced research are burning through funds faster than anyone anticipated. "The model as currently structured isn't sustainable," he says. Bounties were designed for a world where discovery was the bottleneck. Now that discovery is increasingly automated, the bottleneck is remediation, which bounties don't fund. "The projects that underpin critical Internet infrastructure can't rely on volunteer labor to process AI-generated reports at scale," he says. "The industry needs to figure out how to fund the fix, not just the find." About the Author Jai Vijayan Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Gartner IGA Voice of the Customer 2026 Access More Research Webinars Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need More Webinars You May Also Like APPLICATION SECURITY Microsoft & Anthropic MCP Servers at Risk of RCE, Cloud Takeovers by Nate Nelson, Contributing Writer JAN 20, 2026 APPLICATION SECURITY Microsoft Fixes Exploited Zero Day in Light Patch Tuesday by Jai Vijayan, Contributing Writer DEC 09, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 APPLICATION SECURITY 10 Bugs Found in Perplexity AI's Chatbot Android App by Nate Nelson, Contributing Writer APR 11, 2025 Editor's Choice CYBERSECURITY OPERATIONS RSAC 2026: AI Dominates, But Community Remains Key to Security byKristina Beek,Rob Wright APR 2, 2026 CYBERATTACKS & DATA BREACHES Not Toying Around: Hasbro Attack May Take 'Weeks' to Remediate byNate Nelson APR 2, 2026 3 MIN READ ENDPOINT SECURITY CrowdStrike Next-Gen SIEM Can Now Ingest Microsoft Defender Telemetry byJeffrey Schwartz APR 3, 2026 3 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE