"He says he received seven reported issues in a 16-hour period, none of which identified a vulnerability. These formed part of 20 submissions reviewed in the first weeks of 2026. As a result, he has now announced plans to shut down the bounty programme he ran through HackerOne "to remove the incentive for people to submit poorly researched reports ... AI-generated or not.""
"In previous years, somewhere north of 15% of submissions ended up as confirmed vulnerabilities. Starting in 2025, that rate fell below 5%. Not even one in 20 was real."
"Stenberg said the volume of submissions placed a heavy burden on his security team. Speaking to Computer Weekly, he confirms the programme ended in January, and that he has switched from using HackerOne to GitHub for vulnerability reporting."
Bug bounty programs incentivize security researchers to identify and report vulnerabilities in exchange for rewards. While the concept is straightforward, adoption has been uneven with varying reward structures. Daniel Stenberg, founder of cURL, recently discontinued his bug bounty program through HackerOne due to an overwhelming volume of poor-quality submissions. In early 2026, he received seven non-vulnerability reports in 16 hours alone. The confirmation rate for valid vulnerabilities dropped from over 15% historically to below 5% starting in 2025, indicating most submissions were invalid. The increased volume placed significant burden on his security team. Stenberg switched to GitHub for vulnerability reporting, which substantially reduced submission volume while maintaining program effectiveness.
#bug-bounty-programs #vulnerability-disclosure #security-research-quality #ai-generated-submissions #program-sustainability
Read at ComputerWeekly.com
Unable to calculate read time
Collection
[
|
...
]