Rewards programmes offered for hackers who find bugs in corporate code are being inundated with AI-generated reports of dubious quality, forcing some companies to suspend programmes altogether, according to the Financial Times.

So-called bug bounty programmes incentivise independent security researchers to keep businesses safe by offering financial rewards to those who are able to crack their systems, and have long been a staple of corporate cybersecurity. Now, the rise of AI-powered tools threatens their continued existence.

Security company Bugcrowd, whose clients include OpenAI, T-Mobile and Motorola, told the paper that its bug reports more than quadrupled over a three-week period in March, most of which proved to be false.

Curl, an open-source file transfer app, suspended its programme in January, citing an “explosion in AI slop”. Its founder said at the time that the volume of false reports curl received was higher than its open source peers, and speculated that the fact its programme was paid may be a contributing factor.

Nextcloud, an opensource, self-hosted alternative to Microsoft 365, suspended its programme in April for similar reasons, adding that it hoped the programme could resume after it found a way to filter submissions more effectively.

Ross McKerchar, chief information security officer at cyber security group Sophos, told the paper that poor-quality AI reports were “quickly becoming a major problem,” noting that amateurs and professionals alike were increasing their use of AI, meaning even well-meaning participants were getting taken in.

On the other side of AI bug-finding tools, there is Anthropic’s Claude Mythos, software that claims to find flaws that humans have missed across operating systems, financial institutions and web browsers. Earlier today, Anthropic agreed to brief global finance ministries and central banks on cyber vulnerabilities its software has identified, following fears from global regulators.

---