Internet Bug Bounty Pauses Payouts, Citing 'Expanding Discovery' From AI-Assisted Research

The Internet Bug Bounty program "has been paused for new submissions," they announced last week.

Running since 2012, the program is funded by "a number of leading software companies," reports InfoWorld, "and has awarded more than $1.5m to researchers who have reported bugs " Up to now, 80% of its payouts have been for discoveries of new flaws, and 20% to support remediation efforts. But as artificial intelligence makes it easier to find bugs, that balance needs to change, HackerOne said in a statement. "AI-assisted research is expanding vulnerability discovery across the ecosystem, increasing both coverage and speed. The balance between findings and remediation capacity in open source has substantively shifted," said HackerOne.

Among the first programs to be affected is the Node.js project, a server-side JavaScript platform for web applications known for its extensive ecosystem. While the project team will continue to accept and triage bug reports through HackerOne, without funding from the Internet Bug Bounty program it will no longer pay out rewards, according to an announcement on its website...

[J]ust last month, Google also put a halt to AI-generated submissions provided to its Open Source Software Vulnerability Reward Program.
The Internet Bug Bounty stressed that "We have a responsibility to the community to ensure this program effectively accomplishes its ambitious dual purpose: discovery and remediation. Accordingly, we are pausing submissions while we consider the structure and incentives needed to further these goals..."

"We remain committed to strengthening open source security. Working with project maintainers and researchers, we're actively evaluating solutions to better align incentives with open source ecosystem realities and ensure vulnerability discoveries translate into durable remediation outcomes."

I didn't read the article...

[Brain-Fu]

...but that sure won't stop me from passing judgment!

This sounds like a clear case of "AI makes it so easy to find bugs now, that we don't need to pay out cash to incite others to do it anymore."

Re:

[Anonymous Coward]

read any of the past ones? a consistent historic pattern seems enough for judgement

anything with a bounty has been getting flooded with claims of bugs that often aren't true and eat up time

allegations with nothing at stake - REALLY nothing, not even any effort invested, not even two seconds of mental effort - and any tiny chance of yield mean infinite value, the game theory should be obvious now that i've laid it out, it's a divide-by-zero problem we've seen similarly before (MMOs with RMT gold, mech turk f

Re:I didn't read the article...

[Petersko]

Money for bounties is not infinite. If the pace of claims is so large that you can't fix them all and you can't afford to pay the bounties, you stop. Makes perfect sense to me.

Re:I didn't read the article...

[test321]

True, but I think this is a phase. AI is going to find thousands of bugs in the coming year, that are low hanging fruit for its AI capabilities. bug bounty programme shouldn't pay for that.
But as development teams integrate AI, old code gets fixed and new code won't include bugs AI can find. Then the usefulness of AI bug reports will decrease again, until a new baseline where humans security teams (using AI tools and also their brains) are needed to find the bugs that AI can't figure.

Re:

[s0nicfreak]

If the pace of claims is so large that you can't fix them all

So, what, they just leave in security vulnerability bugs that anyone can now easily find using AI?

Re:

[Petersko]

Bounties are incentives to do the legwork to discover flaws. If the cost of that discovery drops to near zero, the queue is jammed as a result, and the capacity to remediate is oversubscribed, you should stop paying bounties.

Nobody is saying you should stop fixing bugs. Only that the process of identifying them has been devalued. Which it has.

Re:

[s0nicfreak]

So if the pace of claims is so large that you can't fix them all, what do you do? Neither no longer giving an incentive to discover flaws, nor no longer accepting claims, reduces the number of flaws.

Sooo

[liqu1d]

More open source is falling prey to the spray and pray tactics of AI bug reporting?

AI replacement

[yuvcifjt]

I've argued for a while, AI may not take all jobs, but it certainly will cut down on number of hires.

So instead of several testers, and a team of back-end and front-end devs, depending on size of company, they can get away with half or quarter of the team.

Sadly as AI gets ever more advanced, I envision a time perhaps in a year or two where the senior dev is left mostly just reviewing pull requests generated by AI.

AI is already taking away design opportunities, and you only have to look at some of the profes

The great adjustening of labor value

[T34L]

I think this is a pretty great bottled example of well how AI can be simultaneously super transformative to society and at the same time how companies like OpenAI and Anthropic can be insanely overvalued and presenting a colossal bubble of sentiment that's never going to see long term return on investment.

Lot of the currently seemingly lucrative uses of AI that promise to make big bucks for anyone with their fingers in the pie are based on observations that hey; there's this whole million dollar market that you can profit off of insanely easily with a clawdbot running on your DGX Spark or whatever.

Except it turns out that once enough people get that idea they first overwhelm the next immediate bottleneck; the validation that the "fixes" of bugs don't introduce other bugs, or worse yet, deliberate backdoors or something else, and before the dust of that settles, it turns out now everyone has the same sauce you tried to sell them for fraction of the cost they'd have ever considered paying to you.

And so, what looked like a lucrative oilwell swollen with potential got throttled to a drip of selective access and additional friction to your attempt at exploiting it that wasn't there until you arrived with your extraction system.

Meanwhile, as you struggle to get the return on investment on your overgrown Bugfixing Someone Else's Code Factory, cheaper, more flexible and most importantly, more verifiable semi-automated bugfixing makes it into the internal pipelines of your would-be-customers, and they deploy their AI alongside their existing programmers who have just the know how needed to achieve the same thing at fraction of trial and error (and thus compute) and with out of band information (and thus less model and dataset complexity) that you needed to get it to work at all.

Similarly, there seems to be a strong notion that all those bizfolk have all those ditzy secretaries, and all they do? They churn out polite worded emails to other bizfolk, and then decipher polite worded emails coming back, maybe copy some numbers between excel spreadsheets back and forth. And all that for like five grand a month! You want that money, and so you present the email'n'excel service can get all that money for itself and only costs you a little bit of a datacenter to run. Except, whoops, two years down the line a Chinese company starts selling a NUC sized paperweight that can do all the same without a subscription and with all that precious customer's bizinfo staying exclusively on-premise, which your prospective customers seem weirdly picky about after you had two dozen major data leaks.

Of, course the economy of scale and capital consolidation will always give advantage to large companies with lot of money, but all it takes is for you, the leading position capitalist to make just a couple of bad bets and end up having your lunch eaten by competitors fraction your size (Intel); I'm fairly sure even Nvidia isn't immune to that, especially as now the very code development ease they enable eats away the moat of client lock in; CUDA and the rest of their software framework (it'll be real interesting to see when "cleanroom derivatives" of that whole stack start popping up), plus having the pretty sizeable chunk of the world forced to look for alternatives for political reasons (USGov trying to throttle the flow of compute capability of China truly is a more potent innovation motivator for companies within china than the Chinese Party could ever hope to try come up with, let alone enforce).

World sure is changing a lot, and everyone's squinting at the future, but lot of the big, high level decisions being made sure seem as short sighted as ever.

Flashbacks

[LondoMollari]

This reminds me of the Bitcoin Faucet and AllAdvantage. All it takes is a shift in demand or technology and suddenly your operating model falls apart. Welcome to the Internet.

\o/

[easyTree]

$100k/year - not too bad I suppose. Oh wait, there's more than one person working.

Did I misunderstand?

Re:

[OrangAsm]

How is C/C++ any better? It's just has a different set of problems than the languages you mention. Type checking does not solve every problem or magically make everything secure. I'd wager the vast majority of serious security vulnerabilities are in code written in C/C++. The next step is usually to push Rust as a solution for a subset of the problems that C/C++ enables. Yet that doesn't solve everything either. As an example, what in Rust would prevent a SQL injection that opens up a huge security hole, ex