A Landmark Program Hits the Brakes
HackerOne's decision to stop accepting new vulnerability submissions to its crowdsourced Internet Bug Bounty (IBB) program has thrown the economics of bug bounty programs into sharp relief. Effective March 27, the pause was triggered by what the company described as a worsening imbalance between the pace of vulnerability discoveries and the ability of open source maintainers to remediate them. The IBB, launched in 2013, is widely regarded as one of the most important vulnerability reward programs supporting the open source community.
HackerOne's announcement was direct: "The discovery landscape is changing. AI-assisted research is expanding vulnerability discovery across the ecosystem, increasing both coverage and speed. The balance between findings and remediation capacity in open source has substantively shifted." The company stated that the program's structure and incentives require a fundamental rethink to remain viable.
Node.js Caught in the Fallout
The ripple effects were immediate. Maintainers of the open source Node.js project subsequently paused their own bug bounty program, directly citing a loss of funding that had previously flowed through HackerOne. The maintainers explained their position plainly: "As a volunteer-driven open-source project, Node.js does not have an independent budget to sustain a bounty program on its own." The twin announcements sent a clear signal that the traditional bounty model is under serious structural stress.
AI Has Industrialized Discovery — But Not Remediation
Security professionals who weighed in on the situation largely agreed that HackerOne's move was rational, if long overdue. Ensar Seker, CISO at SOCRadar, framed the situation in stark terms: "HackerOne is essentially acknowledging that the bottleneck has shifted: discovery has been industrialized by AI, but remediation capacity has not scaled accordingly."
Seker noted that when AI systems can generate thousands of low- to medium-quality findings within hours, volunteer maintainers who run critical open source projects with limited funding can rapidly become overwhelmed. He characterized the pause not as a retreat from security but as "an attempt to rebalance signal versus noise."
AI-Generated 'Slop' Floods the Pipeline
John Morello, co-founder and CTO of Minimus, offered a blunter assessment. He noted that valid submissions have dropped from roughly 15% to below 5% as AI-generated low-quality reports flood triage queues. "AI-assisted hunting hasn't necessarily found more critical zero-days; instead, it's shifted the bottleneck entirely to validation, forcing triage teams to wade through thousands of plausible-sounding but non-exploitable reports," he said.
For open source maintainers, the phenomenon known as "triage fatigue" has become the dominant challenge. Teams are losing hours of development time disproving hallucinated vulnerabilities. Morello was pointed in his criticism of the current bounty model: "The current bounty model unfortunately rewards quantity over depth, effectively weaponizing unpaid labor and forcing these small teams to act as a free quality assurance department for every automated scanner on the planet."
A Wake-Up Call for the Broader Industry
Trey Ford, chief strategy and trust officer at Bugcrowd — which also operates a crowdsourced vulnerability discovery platform — described HackerOne's pause as a wake-up call. He argued that the industry spent years optimizing the wrong end of the pipeline. "AI has done exactly what it was supposed to do in terms of compressing the time required to find vulnerabilities. What we have not yet solved is the human side of the equation: the maintainer who receives 40 valid reports and has one weekend to respond," Ford said.
Ford sees the economics of research and disclosure shifting fundamentally. Raw volume of findings is no longer a competitive advantage for researchers, since AI can generate findings at scale. The premium will increasingly move toward complex logic flaws and novel attack chains that require human depth and contextual judgment. He envisions a future where vulnerability programs offer bonuses to researchers who bring fixes alongside their reports, and where shared funding pools support both the researcher who finds a flaw and the maintainer team that ships the patch.
Bounties Fund the Find, Not the Fix
David Hayes, VP of product at FusionAuth, reinforced this structural critique. He noted that bug bounty programs designed around human-paced research are burning through funds faster than anyone anticipated. "The model as currently structured isn't sustainable," he said. Bounties were designed for a world where discovery was the bottleneck. Now that discovery is increasingly automated, the bottleneck is remediation — and bounties don't fund remediation.
Hayes was direct about the stakes: "The projects that underpin critical Internet infrastructure can't rely on volunteer labor to process AI-generated reports at scale. The industry needs to figure out how to fund the fix, not just the find."
What Comes Next for HackerOne and the IBB
HackerOne has stated that its focus going forward is to explore new structural approaches that align vulnerability discovery with effective remediation, so that meaningful findings translate into durable security improvements in open source projects. The company has committed to working with project maintainers and security researchers to evaluate incentive models that better reflect the current realities of the open source ecosystem.
The situation underscores a broader industry tension: the tools that make security research faster and more scalable have simultaneously created an entirely new category of operational burden for the volunteer communities that maintain the software the world depends on. Until remediation capacity receives the same level of investment and innovation as discovery tooling, the imbalance is likely to worsen — with or without a bounty program attached to it.
- IBB program pause effective date: March 27
- IBB program launch year: 2013
- Valid submission rate decline: from roughly 15% to below 5% (per Minimus CTO John Morello)
- Key organizations involved: HackerOne, Node.js project, SOCRadar, Minimus, Bugcrowd, FusionAuth
Source: Dark Reading