Headline: AI floods crypto bug bounty programs with reports — and a lot of noise
Artificial intelligence is dramatically increasing the volume of bug bounty reports hitting crypto projects — but much of that surge is low-quality or outright false alarms, forcing teams to rethink how they triage and trust submissions.
Bug bounties pay outside researchers to disclose software flaws before attackers exploit them. In crypto, where protocols often handle large sums of user funds and run on open-source code, these programs are a core security layer. Now, AI tools that can scan repositories and draft technical write-ups are lowering the cost of producing and submitting findings — and that’s producing both benefits and headaches.
Big jump in submissions — and in noise
Cosmos Labs co-CEO Barry Plunkett says his team has seen submissions explode over the past year, with a roughly 900% increase and 20–50 reports arriving per day. “The rise included both valid and invalid reports,” Plunkett said, meaning security teams now spend more time separating real issues from weak or erroneous claims.
Komodo Platform CTO Kadan Stadelmann sees the same trend: more submissions and higher payout activity, but a growing share of low-quality reports and false positives that “potentially suggest AI sourcing.” He notes AI lowers the effort needed to produce a report, which encourages more—and sometimes less reliable—participation.
AI helps but also misleads
On the positive side, AI can speed code review and highlight potential vulnerabilities, enabling more researchers (and newcomers) to join bounty programs. On the downside, AI systems can generate technically sounding but inaccurate findings, adding review overhead and risk of wasted effort for developers and security staff.
This isn’t confined to crypto. In January, curl creator Daniel Stenberg ended his bug bounty program, citing an influx of what he called “AI slop in vulnerability reports.” And HackerOne reported 85,000 valid bounty submissions in 2025 — a 7% increase year-over-year — underscoring how overall submission volumes are rising even as quality varies.
How teams are adapting
Crypto teams are altering processes to keep bounties useful without being buried by chatter. Cosmos Labs has tightened scoring, prioritizing submissions from trusted researchers with proven track records, and is working with bounty providers that offer stronger triage services to filter weak or duplicate reports.
Stadelmann suggests AI will also be part of the defense: smaller teams, which lack the engineering bandwidth to sift large numbers of reports, may need “AI deterrents” to pre-sort incoming bounties. He also recommends stricter submission standards to reduce the noise created by automated tooling.
What this means for the ecosystem
Bug bounty programs are likely to remain essential to blockchain security, but they’re changing. As AI-driven reporting scales, protocols must invest in smarter triage — combining human expertise, tighter submission rules, trusted researcher programs, and defensive AI — to preserve the signal amid the growing noise.
Read more AI-generated news on: undefined/news
