Crypto security programs are rethinking vulnerability disclosure as AI tools flood bug bounty submissions across the industry. While bug bounties reward researchers for responsibly flagging flaws, the surge in AI-assisted reports is both an aid and a challenge—helping teams comb through code faster, but also increasing false positives and noise.
Industry voices say AI-assisted analysis is changing how programs must triage and verify findings, a shift with potential implications for developers, operators, and users of decentralized protocols.
Co-CEO Barry Plunkett of Cosmos Labs described a dramatic change in how bug bounty programs operate. “Our program has seen a 900% increase in submission volume from last year, on the order of 20–50 per day,” he said, noting that the influx encompasses both credible vulnerability reports and a significant amount of noise. The volume surge has pushed teams to deploy more stringent triage and verification workflows to separate real threats from false alarms.
Across other organizations, developers have reported a similar pattern. Kadan Stadelmann, CTO at Komodo Platform, told Cointelegraph that bug bounty submissions and payouts have risen notably, with a noticeable uptick in low-quality reports and false positives. He suggested that AI-driven tooling may be lowering the cost of producing vulnerability submissions, thereby fueling the higher throughput.
The phenomenon isn’t isolated to crypto software. In January, Daniel Stenberg, the creator of curl—a widely used open-source tool responsible for data transfers in many blockchain infrastructures—announced he would end his personal bug bounty program due to an overwhelming tide of “AI slop in vulnerability reports,” making it exhausting to sift through submissions.
HackerOne, one of the largest bug bounty platforms, also highlighted the broader trend, reporting that 85,000 valid bounty submissions were filed in 2025, up 7% from the previous year. The data underscores how AI-enabled automation is reshaping the volume and pace at which researchers engage with security programs.
Cosmos Labs has begun adapting in response to the surge by tightening its scoring framework and prioritizing trusted researchers with proven track records. Plunkett said the team is collaborating with other bug bounty providers that offer more advanced triage capabilities, aiming to separate signal from noise more efficiently as volumes rise.
Stadelmann similarly underscored the potential of defensive AI to help teams withstand the deluge. “Blockchain teams will have to create AI deterrents to sift through incoming bug bounties. The smaller the team, the bigger the problem of increased bug bounties will become. Software engineers won’t have the capacity to examine everything,” he cautioned. A defensive AI approach could automatically filter and rank reports, reducing the burden on human reviewers.
“This is where defensive AI systems to automatically sift through incoming bug bounties will be crucial. Teams dependent on bug bounties will need to develop stricter standards on their bug bounty programs as a means of lowering the number of incoming reports.”
Taken together, the episode highlights a central tension in bug bounty ecosystems: AI can amplify vigilance by widening the net for vulnerability discovery, but it can also swamp teams with untenable volumes of reports. The path forward appears to hinge on smarter triage tools, more rigorous reporter verification, and standardized quality controls across platforms.
Bug bounty programs have long been a cornerstone of security for decentralized networks, offering a carrot for researchers to disclose flaws before attackers can exploit them. The current spike in AI-assisted submissions tests the sustainability of those programs, especially for teams with limited security staff. The emerging consensus among practitioners is that AI will be a necessary ally, but only if paired with robust triage protocols and tighter verification standards.
For builders and operators, the development suggests several practical shifts: invest in AI-enabled triage that can coarsely filter reports, cultivate a trusted researcher network to fast-track credible findings, and align with bounty providers that offer deeper automated review capabilities. These moves can help ensure that the bounty ecosystem remains a reliable line of defense rather than a flood of trivial or erroneous submissions.
As the industry experiments with stronger screening and smarter automation, observers will want to watch for how quickly bug bounty platforms roll out standardized quality controls and how crypto projects adapt incentive structures to maintain high signal-to-noise ratios. The degree to which smaller teams can implement effective defensive AI and whether regulators begin to steer disclosure practices will shape the resilience of crypto security in the near term.
Readers should stay tuned for updates on AI-driven triage innovations, platform policy changes, and real-world outcomes from ongoing vulnerability disclosures across leading DeFi and non-DeFi protocols.
Looking ahead, the balance between rapid vulnerability discovery and manageable review workloads will determine how bug bounty programs influence security in an increasingly automated landscape. The next few quarters could define whether AI remains a force multiplier for defense or becomes a bottleneck that teams must outpace with smarter tooling and stricter reporting standards.
This article was originally published as AI Sparks Bug-Bounty Surge in Crypto, but Low-Quality Reports Grow on Crypto Breaking News – your trusted source for crypto news, Bitcoin news, and blockchain updates.
