AI drives surge in ‘bug bounty’ reports, but the ‘slop’ is rising too

Crypto protocols have warned that an increase in AI use has led to a flood of bogus bug bounty submissions, putting a strain on teams trying to identify real threats to their protocols.

Bug bounties are a system to reward “good” hackers for submitting reports about potential vulnerabilities and are popular in the crypto industry. AI has now made it easier to sift through large amounts of code to find possible bugs, though AI is also known to hallucinate.

“AI is changing the way that bug bounty programs must operate,” said Barry Plunkett, co-CEO of Cosmos Labs, on Tuesday, responding to a bug bounty hunter who accused the protocol of ignoring their vulnerability report.

Source: Barry Plunkett

“Our program has seen a 900% increase in submission volume from last year, on the order of 20-50 per day,” he said, adding that it’s led to a huge increase in both valid and invalid reports.

Kadan Stadelmann, a blockchain developer and chief technology officer at Komodo Platform, told Cointelegraph he has also seen a notable increase in bug bounty submissions and payouts across organizations.

“There has definitely been an increase in low-quality bug bounty submissions, some of which have been false positives, potentially suggesting AI sourcing. One potential explanation is that AI has caused a decrease in the cost to produce a report, resulting in an influx of submissions.”

In January, Daniel Stenberg, the creator of the open-source data transfer tool curl, which is used in many apps, including blockchain infrastructure, announced he was ending his bug bounty program because of an influx of “AI slop in vulnerability reports,” and he was exhausted from sifting through them.