{"id":88986,"date":"2025-07-24T15:45:12","date_gmt":"2025-07-24T15:45:12","guid":{"rendered":"https:\/\/www.europesays.com\/us\/88986\/"},"modified":"2025-07-24T15:45:12","modified_gmt":"2025-07-24T15:45:12","slug":"ai-slop-and-fake-reports-are-exhausting-some-security-bug-bounties","status":"publish","type":"post","link":"https:\/\/www.europesays.com\/us\/88986\/","title":{"rendered":"AI slop and fake reports are exhausting some security bug bounties"},"content":{"rendered":"<p id=\"speakable-summary\" class=\"wp-block-paragraph\">So-called AI slop, meaning <a href=\"https:\/\/techcrunch.com\/2025\/05\/25\/from-llms-to-hallucinations-heres-a-simple-guide-to-common-ai-terms\/#large-language-model\" rel=\"nofollow noopener\" target=\"_blank\">LLM<\/a>-generated low quality images, videos, and text, has taken over the internet in the last couple of years, polluting <a href=\"https:\/\/techcrunch.com\/2025\/07\/09\/youtube-prepares-crackdown-on-mass-produced-and-repetitive-videos-as-concern-over-ai-slop-grows\/\" rel=\"nofollow noopener\" target=\"_blank\">websites<\/a>, <a rel=\"nofollow noopener\" href=\"https:\/\/www.404media.co\/where-facebooks-ai-slop-comes-from\/\" target=\"_blank\">social media platforms<\/a>, at least <a rel=\"nofollow noopener\" href=\"https:\/\/www.404media.co\/viral-ai-generated-summer-guide-printed-by-chicago-sun-times-was-made-by-magazine-giant-hearst\/\" target=\"_blank\">one newspaper<\/a>, and even <a href=\"https:\/\/techcrunch.com\/2025\/01\/08\/ces-2025-was-full-of-irl-ai-slop\/\" rel=\"nofollow noopener\" target=\"_blank\">real-world events<\/a>.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">The world of cybersecurity is not immune to this problem, either. In the last year, people across the cybersecurity industry have raised concerns about AI slop bug bounty reports, meaning reports that claim to have found vulnerabilities that do not actually exist, because they were created with a <a href=\"https:\/\/techcrunch.com\/2024\/06\/01\/what-is-ai-how-does-ai-work\/\" rel=\"nofollow noopener\" target=\"_blank\">large language model<\/a> that simply made up the vulnerability, and then packaged it into a professional-looking writeup.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">\u201cPeople are receiving reports that sound reasonable, they look technically correct. And then you end up digging into them, trying to figure out, \u2018oh no, where is this vulnerability?\u2019,\u201d Vlad Ionescu, the co-founder and CTO of <a rel=\"nofollow noopener\" href=\"https:\/\/www.runsybil.com\/\" target=\"_blank\">RunSybil<\/a>, a startup that develops AI-powered bug hunters, told TechCrunch.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">\u201cIt turns out it was just a hallucination all along. The technical details were just made up by the LLM,\u201d said Ionescu.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">Ionescu, who used to work at Meta\u2019s red team tasked with hacking the company from the inside, explained that one of the issues is that LLMs are designed to be helpful and give positive responses. \u201cIf you ask it for a report, it\u2019s going to give you a report. And then people will copy and paste these into the bug bounty platforms and overwhelm the platforms themselves, overwhelm the customers, and you get into this frustrating situation,\u201d said Ionescu.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">\u201cThat\u2019s the problem people are running into, is we\u2019re getting a lot of stuff that looks like gold, but it\u2019s actually just crap,\u201d said Ionescu.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">Just in the last year, there have been real-world examples of this. Harry Sintonen, a security researcher, revealed that the open source security project Curl received a fake report. \u201cThe attacker miscalculated badly,\u201d Sintonen wrote <a rel=\"nofollow noopener\" href=\"https:\/\/infosec.exchange\/@harrysintonen\/114455549143577092\" target=\"_blank\">in a post on Mastodon<\/a>. \u201cCurl can smell AI slop from miles away.\u201d<\/p>\n<p class=\"wp-block-paragraph\">In response to Sitonen\u2019s post, Benjamin Piouffle of Open Collective, a tech platform for nonprofits, <a rel=\"nofollow noopener\" href=\"https:\/\/framapiaf.org\/@Betree\/114456180452192212\" target=\"_blank\">said<\/a> that they have the same problem: that their inbox is \u201cflooded with AI garbage.\u201d\u00a0<\/p>\n<p class=\"wp-block-paragraph\">One open-source developer, who maintains the CycloneDX project on GitHub, <a rel=\"nofollow noopener\" href=\"https:\/\/github.com\/CycloneDX\/cyclonedx-rust-cargo\/commit\/93b19cb4ac96d1b8f51647df2b89ec4359becae1\" target=\"_blank\">pulled their bug bounty down entirely<\/a> earlier this year after receiving \u201calmost entirely AI slop reports.\u201d<\/p>\n<p class=\"wp-block-paragraph\">The leading bug bounty platforms, which essentially work as intermediaries between bug bounty hackers and companies who are willing to pay and reward them for finding flaws in their products and software, are also seeing a spike in AI-generated reports, TechCrunch has learned.\u00a0<\/p>\n<p>\t\t\tContact Us<br \/>\n\t\t\tDo you have more information about how AI is impacting the cybersecurity industry? We\u2019d love to hear from you. From a non-work device and network, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or <a href=\"https:\/\/techcrunch.com\/2025\/07\/24\/ai-slop-and-fake-reports-are-exhausting-some-security-bug-bounties\/mailto:lorenzo@techcrunch.com\/\" rel=\"nofollow noopener\" target=\"_blank\">email<\/a><a href=\"https:\/\/techcrunch.com\/2025\/07\/24\/ai-slop-and-fake-reports-are-exhausting-some-security-bug-bounties\/mailto:lorenzo@techcrunch.com\/\" rel=\"nofollow noopener\" target=\"_blank\">.<\/a>\t\t<\/p>\n<p class=\"wp-block-paragraph\">Michiel Prins, the co-founder and senior director of product management at HackerOne, told TechCrunch that the company has encountered some AI slop.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">\u201cWe\u2019ve also seen a rise in false positives \u2014 vulnerabilities that appear real but are generated by LLMs and lack real-world impact,\u201d said Prins. \u201cThese low-signal submissions can create noise that undermines the efficiency of security programs.\u201d<\/p>\n<p class=\"wp-block-paragraph\">Prins added that reports that contain \u201challucinated vulnerabilities, vague technical content, or other forms of low-effort noise are treated as spam.\u201d<\/p>\n<p class=\"wp-block-paragraph\">Casey Ellis, the founder of Bugcrowd, said that there are definitely researchers who use AI to find bugs and write the reports that they then submit to the company. Ellis said they are seeing an overall increase of 500 submissions per week.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">\u201cAI is widely used in most submissions, but it hasn\u2019t yet caused a significant spike in low-quality \u2018slop\u2019 reports,\u201d Ellis told TechCrunch. \u201cThis\u2019ll probably escalate in the future, but it\u2019s not here yet.\u201d<\/p>\n<p class=\"wp-block-paragraph\">Ellis said that the Bugcrowd team who analyze submissions review the reports manually using established playbooks and workflows, as well as with machine learning and AI \u201cassistance.\u201d<\/p>\n<p class=\"wp-block-paragraph\">To see if other companies, including those who run their own bug bounty programs, are also receiving an increase in invalid reports or reports containing non-existent vulnerabilities hallucinated by LLMs, TechCrunch contacted Google, Meta, Microsoft, and Mozilla.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">Damiano DeMonte, a spokesperson for Mozilla, which develops the Firefox browser, said that the company has \u201cnot seen a substantial increase in invalid or low quality bug reports that would appear to be AI-generated,\u201d and the rejection rate of reports \u2014 meaning how many reports get flagged as invalid \u2014 has remained steady at 5 or 6 reports per month, or less than 10% of all monthly reports.<\/p>\n<p class=\"wp-block-paragraph\">Mozilla\u2019s employees who review bug reports for Firefox don\u2019t use AI to filter reports, as it would likely be difficult to do so without the risk of rejecting a legitimate bug report,\u201d DeMonte said in an email.<\/p>\n<p class=\"wp-block-paragraph\">Microsoft and Meta, companies that have both bet heavily on AI, declined to comment. Google did not respond to a request for comment.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">Ionescu predicts that one of the solutions to the problem of rising AI slop will be to keep investing in AI-powered systems that can at least perform a preliminary review and filter submissions for accuracy.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">In fact, on Tuesday, HackerOne <a rel=\"nofollow noopener\" href=\"https:\/\/www.hackerone.com\/press-release\/hackerone-unveils-hai-triage-upgraded-ai-powered-vulnerability-response\" target=\"_blank\">launched<\/a> Hai Triage, a new triaging system that combines humans and AI. According to HackerOne spokesperson Randy Walker, this new system leveraging \u201cAI security agents to cut through noise, flag duplicates, and prioritize real threats.\u201d Human analysts then step in to validate the bug reports and escalate as needed.<\/p>\n<p class=\"wp-block-paragraph\">As hackers increasingly use LLMs and companies rely on AI to triage those reports, it remains to be seen which of the two AIs will prevail.<\/p>\n","protected":false},"excerpt":{"rendered":"So-called AI slop, meaning LLM-generated low quality images, videos, and text, has taken over the internet in the&hellip;\n","protected":false},"author":3,"featured_media":88987,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[691,49492,738,59545,59548,59547,734,2722,59546,59543,13336,340,252,59544,158,67,132,68],"class_list":{"0":"post-88986","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-artificial-intelligence","8":"tag-ai","9":"tag-ai-slop","10":"tag-artificial-intelligence","11":"tag-bug-bounty","12":"tag-bug-bounty-programs","13":"tag-bugcrowd","14":"tag-cybersecurity","15":"tag-google","16":"tag-hackerone","17":"tag-hackers","18":"tag-hacking","19":"tag-meta","20":"tag-microsoft","21":"tag-mozilla","22":"tag-technology","23":"tag-united-states","24":"tag-unitedstates","25":"tag-us"},"share_on_mastodon":{"url":"https:\/\/pubeurope.com\/@us\/114908988845107194","error":""},"_links":{"self":[{"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/posts\/88986","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/comments?post=88986"}],"version-history":[{"count":0,"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/posts\/88986\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/media\/88987"}],"wp:attachment":[{"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/media?parent=88986"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/categories?post=88986"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/tags?post=88986"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}