Due to AI: Bug bounty programs without rewards, now also at Nextcloud

Bug bounty programs aim to attract external IT researchers to find and report security vulnerabilities and create income opportunities. Artificial intelligence now makes it possible to uncover vulnerabilities much faster and in greater numbers. This leads to more and more projects discontinuing the payment of rewards within the scope of bug bounty programs due to the high number of reports. The latest project to announce the discontinuation of payments is Nextcloud.

On the bug bounty platform HackerOne, Nextcloud has now adjusted the program description accordingly. “Please note that Nextcloud does not offer monetary bounties for security reports submitted through this program,” reads the heading “No monetary bounties” since an update on Wednesday.

Nextcloud specifies that they have temporarily suspended the bug bounty program with payments because they are facing a high number of AI-generated illegitimate reports – regardless of severity. However, they remain deeply committed to security and continue to collaborate with the researcher community. Valid reports will continue to be evaluated, corrected, and attributed to the reporters upon publication, allowing reporters to continue to receive recognition.

Quantity and quality of AI reports

Considering the numerous AI security reports, Nextcloud only accepts those that the reporters have manually verified themselves and can prove with screenshots. Reports that the reporters have not put effort into will be ignored and sorted out as spam.

At the end of March, the HackerOne project “Internet Bug Bounty” was also forced to take a drastic step; it is currently not accepting any new submissions at all. It is a popular bug bounty program for open-source projects in general.

In this context, the curl founder and lead developer Daniel Stenberg is naturally indispensable. In a blog post, Stenberg discusses the "High Quality Chaos” that exists in reality. He had repeatedly complained about AI slop, which led to high-frequency junk reports being sent to the curl bug bounty program. This caused him to initially suspend the bug bounty program completely in February, but then return to HackerOne because the bug management in GitHub was insufficient.

AI slop is no longer the problem, Stenberg now confirms. However, the number of error reports is increasing massively; so far, they have reached double the rate of 2025. The quality has improved. The confirmation rate even exceeds the pre-AI level in 2024 – Stenberg writes that this amounts to 15 to 16 percent of the reports. However, AI is involved in every report now, he adds; this can be recognized, for example, by the type of phrasing and phrases. A brief search on Mastodon for other open-source projects confirmed that curl is not the only project with this problem; he lists numerous well-known and large projects such as Apache httpd, Firefox, Linux Kernel, and others.

The number of fixed vulnerabilities will also increase. Stenberg announces that curl 8.20.0, which he plans to release in the middle of next week, will fix at least six new vulnerabilities. However, he is unsure where this will end. It is possible that the reports will reach a plateau in a few years, as happened with fuzzing for vulnerability searching.

Since such a flood of vulnerabilities is already being found with AI, the question arises whether it is really sensible to keep vulnerability-searching AI like Mythos under wraps. The other AI developers are apparently not too far behind.

(dmk)