We are retiring our bug bounty program

Original Article ↗ Hacker News Discussion ↗

AI-Generated “Slop” Overwhelming Bug Bounties

  • Many comments say AI-assisted or fully automated bug-hunting is flooding programs with low‑quality, often nonsensical reports and PRs.
  • Maintainers’ time is now spent disproving claims, reproducing contrived scenarios, and arguing with submitters (or their agents).
  • Several see this as an expected outcome of cheap LLM access plus financial incentives.

Economic and Technical Countermeasures

  • Strong theme: add monetary friction.
    • Ideas: submission deposits ($5–$100+), higher bounties but paywall to submit, BTC or crypto to avoid chargebacks.
    • Concern: this also deters legitimate researchers, especially those with limited means or unsupportive employers.
  • Other proposals:
    • “Three strikes” / ban systems; widely criticized as still consuming reviewer time and easy to evade with new accounts.
    • Third‑party “bug bounty bouncer” services that vet reports and maintain contributor reputation.
    • Using AI to pre‑screen slop; critics note this just creates “sloppy turtles all the way down.”

Open Source Contribution Models Under Strain

  • Several argue the “anyone can open an issue/PR” model is breaking under automated spam.
  • Suggested shifts:
    • Read‑only by default with granular permissions (comment, open issue, create PR, run CI).
    • Vouch / trust‑net systems to gate who can contribute.
  • Others see this as a loss: it undermines the traditional openness and serendipitous contributions of OSS.

Code Quality, Review Bottlenecks, and AI

  • Repeated point: bottleneck is reading and understanding code, not typing it.
  • Analogy to “tactical tornado” developers whose massive, fast changes slow teams due to review and maintenance costs; AI is seen as the “ultimate tactical tornado.”
  • Some note AI genuinely speeds feature work (2–5x) in certain orgs, but critics foresee rising security and reliability debt.

Human Identity, Reputation, and Community Design

  • Growing emphasis on being a “verifiable human” with reputation in trusted, sometimes invite‑only, communities.
  • Honeypot repos that attract AI bounty hunters are discussed as both research tools and evidence of the scale of automated slop.

Broader Attitudes Toward AI

  • Split between:
    • Skeptics who see AI as net harmful in this domain and advocate “shutting it down” or tightly closed teams.
    • Pragmatists who say AI is here to stay and the realistic path is redesigning incentives, tooling, and contribution channels.