Crypto bug bounty programs are being swamped by AI-generated reports — and security teams are feeling the strain.
As artificial intelligence tools make it faster and easier to scan code and draft vulnerability reports, crypto protocols are seeing a dramatic uptick in submissions. But along with genuine findings, teams say they’re also getting far more low-quality entries and false positives, increasing the workload for developers and security staff who must triage every claim.
Why it matters
Bug bounty programs pay outside researchers to surface software flaws before attackers exploit them. They’re a critical part of crypto security because many protocols run on open-source code and control vast amounts of user funds. An influx of noisy or incorrect reports can drown out real threats and slow response times.
What’s happening now
Cosmos Labs co-CEO Barry Plunkett says his company’s program has experienced a 900% jump in submissions over the past year — roughly 20–50 reports per day. “The rise included both valid and invalid reports, creating more work for teams trying to separate real issues from weak claims,” Plunkett said.
Komodo Platform CTO Kadan Stadelmann describes a similar pattern: more submissions and payouts overall, but a noticeable increase in low-quality reports and false positives that “potentially suggest AI sourcing.” He added that AI has likely lowered the cost and effort needed to produce a report, encouraging more researchers — and more noise — to participate.
Broader signals and examples
This trend isn’t limited to crypto. In January, curl creator Daniel Stenberg shut down his project’s bug bounty after an “influx of AI slop in vulnerability reports.” And HackerOne reported 85,000 valid bounty submissions in 2025, a 7% rise year-over-year — underscoring growing activity across the vulnerability market.
How teams are responding
To keep programs effective, some crypto teams are adapting:
- Cosmos Labs tightened scoring criteria and now privileges submissions from trusted researchers with strong track records, while working with bug-bounty platforms that offer advanced triage support to filter duplicates and weak reports.
- Stadelmann suggests protocols set stricter submission standards and use AI defensively: “Blockchain teams will have to create AI deterrents to sift through incoming bug bounties,” he said. Defensive AI could speed sorting and reduce the burden on small teams with limited engineering resources.
Outlook
Bug bounties remain essential for decentralized security, but AI is forcing a rethink of how they’re run. Expect more rigorous filters, reputation-based weighting, and automated triage tools as teams try to preserve the benefits of outside research while cutting down on AI-driven noise.
Read more AI-generated news on: undefined/news
