The rise of AI-assisted vulnerability research has transformed the cybersecurity landscape, but not entirely for the better. While these tools promise to democratize security testing and accelerate the discovery of flaws, they have also unleashed an unprecedented firehose of low-quality reports that are drowning overworked software maintainers. Instead of focusing on high-impact vulnerabilities, maintainers now spend hours sifting through noise—duplicate findings, theoretical attacks, and automated outputs lacking any real security context. This trend has sparked growing frustration across the industry, from the Linux kernel to major tech firms and open source projects.
The Linux Kernel's Struggle
Linus Torvalds, the creator of the Linux kernel, recently sounded the alarm in a note accompanying the latest kernel release candidate. He described the project's security mailing list as “almost entirely unmanageable, with enormous duplication due to different people finding the same things with the same tools.” Torvalds emphasized that AI tools often produce identical results, leading to a flood of redundant reports that waste valuable maintainer time. He urged researchers to add real value by reading documentation, creating patches, and demonstrating genuine understanding rather than just submitting automated output. “If you found a bug using AI tools, the chances are somebody else found it too,” he wrote, highlighting the lack of originality in many submissions.
GitHub's Response
GitHub, the world's largest code hosting platform, has also felt the impact. Jarom Brown, Senior Product Security Engineer at GitHub, acknowledged in a recent statement that while AI lowers the barrier to entry for security research, his team is overwhelmed by submissions that fail to demonstrate any real security impact. These include reports without proof of concept, theoretical scenarios that don't hold up under scrutiny, and findings already covered by GitHub's published ineligible list. The problem is not unique to GitHub; security programs across the industry face the same deluge. Some have even shut down entirely. GitHub has opted for stricter submission requirements: submitters must now validate AI-assisted findings before sending them and include a working proof of concept that demonstrates exploitation potential and concrete security impact. Reports covering known ineligible categories are closed as Not Applicable, potentially affecting the submitter's HackerOne Signal and reputation. Brown also urged researchers to be concise, as bloated, AI-padded reports slow down triage and waste everyone's time.
The Researcher's Perspective
The influx of low-quality reports has collateral damage beyond maintainer burnout. Respected security researcher Shubham Shah, co-founder of Assetnote, notes that organizations are now taking far longer to review legitimate reports and act on real flaws. This delays feedback loops that keep top researchers engaged. Bug bounty platforms like HackerOne and Bugcrowd are attempting to fight the spam with AI and added controls, but Shah says “the joy of reporting vulnerabilities to bug bounties is quickly dissipating.” He fears that experienced researchers may retreat to private vulnerability research and invite-only bounties, reducing the overall quality of submissions to public programs. This erosion of trust threatens the collaborative ecosystem that has driven security improvements for years.
Open Source Projects Bear the Brunt
The AI-powered industrialization of vulnerability discovery is particularly damaging for open source projects, which rely heavily on volunteer maintainers with limited time and resources. Unlike large corporations like Microsoft or Google, these projects cannot easily absorb the flood of junk reports. The cURL project, led by Daniel Stenberg, serves as a cautionary tale. Initially, cURL stopped accepting HackerOne submissions and eliminated monetary rewards for security reports, hoping to remove the financial incentive for AI slop. Stenberg believed that “the best and our most valued security reporters still will tell us when they find security vulnerabilities.” The project switched to accepting reports via GitHub or email, but reverted to HackerOne a month later due to the inefficiency of alternative channels. However, they maintained the decision to stop offering bounties. Stenberg reported in April 2026 that “the slop situation is not a problem anymore.” The number of reports rose, their quality improved (even if AI-assisted), and the confirmed vulnerability rate surpassed pre-AI levels. Yet, this success presents a new challenge: the increased volume of legitimate reports now threatens to overwhelm maintainers. “This avalanche is going to make maintainer overload even worse,” Stenberg warned, citing a backlog expansion with no additional maintainers to help.
Platform Responses and Industry Adaptation
In the wake of cURL's departure and return, HackerOne acknowledged the AI slop problem and advised customers to refine scope and submission guidelines, use AI-assisted triage tools, and combine automation with human oversight. Michiel Prins, Co-founder & Senior Director of Product Management at HackerOne, emphasized the need to preserve signal quality so open source maintainers can focus on fixing real issues. HackerOne is developing workflows to filter noise early, surface credible reports, and keep vulnerability management sustainable. The Open Source Security Foundation's Vulnerability Disclosures Working Group is also seeking community feedback to compile best practices, create policy templates, and develop guidance for spotting and handling AI-assisted submissions. These efforts aim to help maintainers differentiate between valuable findings and automated garbage.
Broader Implications for Cybersecurity
The explosion of AI-generated security reports reflects a larger trend in cybersecurity: the race to leverage automation often comes with unintended consequences. While AI can theoretically enhance vulnerability discovery, its current use encourages quantity over quality. The result is a system where genuine vulnerabilities may be overlooked amidst the noise, and maintainer burnout intensifies. According to industry reports, the number of vulnerability submissions has increased by 300% year-over-year in some programs, but the ratio of actionable reports has plummeted. This imbalance threatens the sustainability of open source projects and the trust in bug bounty programs. Experienced researchers like Shubham Shah argue that until platforms adapt, high-quality contributions will decline, forcing experts to bypass public programs entirely.
Historical context shows that bug bounty programs evolved from informal community efforts to structured platforms like HackerOne and Bugcrowd, offering monetary incentives for responsible disclosure. The influx of AI-generated reports disrupts this model, as many submitters prioritize volume over accuracy. Programs that fail to adapt risk alienating both maintainers and top researchers. The cURL project's experience demonstrates that removing financial rewards can reduce spam but also changes the dynamic of submissions. Other projects may follow suit, shifting to invite-only or trusted reporter systems.
The Path Forward
To address this challenge, industry leaders recommend a multi-pronged approach. First, clearer guidelines and scope definitions can help reduce irrelevant submissions. Second, AI-based triage tools must be developed to automatically filter obvious duplicates and low-value reports, but human oversight remains essential. Third, maintaining open communication between researchers and maintainers can build trust and encourage quality over quantity. The Open Source Security Foundation's working group is a step in the right direction, but broader adoption is needed. As AI continues to evolve, the cybersecurity community must prioritize collaboration and sustainable practices to ensure that the benefits of automation do not come at the cost of maintainer sanity and security quality.
Source: Help Net Security News