Bug bounty programs under AI pressure

In episode 173 of the Critical Thinking bug bounty podcast, the hosts discussed how AI is starting to noticeably affect the bug bounty market — mostly in a negative way.

Key effects highlighted by the podcast participants:

🔹 A massive flow of AI‑generated reports is pushing some bug bounty programs to scale back operations, while others (such as Google's Android and Chrome VRP programs) are significantly cutting rewards for low‑ and medium‑severity vulnerabilities. 🔹 The cost of automated pentesting is dropping sharply: the cheapest $100–500 services are mostly wrappers around well‑known AI models. While the quality of these assessments varies, their cost is far below typical bug bounty payouts. 🔹 Internal security teams are increasingly using AI tools to identify for vulnerabilities throughout the service lifecycle before production release. As a result, by the time a bounty program launches, most low-complexity vulnerabilities have already been fixed.

This competition with AI solutions shifts the focus from finding vulnerabilities to validating them — now the core skill. At the same time, bug bounty programs are raising the entry bar not only through technical requirements: in one HackenProof experiment, introducing a $5 submission fee cut the flow of low‑quality reports by about 80%. Ultimately, the market is likely moving toward stricter participant selection, gradually separating opportunistic profit-seeking from professional security research.

✅ Still, the hosts emphasize that the same technologies expand learning and training opportunities. You can dive deeper into the topics raised in the podcast via the link.