原文 · 未翻译
Companies that pay hackers to find flaws in their software are being inundated with low-quality reports generated by AI, forcing some to suspend the programs altogether.
Businesses that run “bug bounty” schemes have long relied on independent security researchers to spot vulnerabilities. But the rise of AI tools is now overwhelming them with spurious submissions.
Bugcrowd, whose customers include OpenAI, T-Mobile, and Motorola, said the number of reports it received more than quadrupled over a three-week period in March, with most proving to be false.
Curl, a widely used tool to transfer data across the Internet, suspended its paid bug bounty program in January, citing an “explosion in AI slop reports” and lower-quality submissions.
Cyber security experts say advances in generative AI are reshaping the economics of bug bounty programs. While the tools allow experienced researchers to find flaws more quickly, they are also lowering the barrier to entry, triggering a flood of automated or erroneous submissions that companies must sift through.
The big increase in poor-quality AI reports was “quickly becoming a major problem,” said Ross McKerchar, chief information security officer at cyber security group Sophos. “Bug bounties are going to stay [but] they’re going to have to change,” he said.
Bug bounties have grown in popularity since the early 2000s, with schemes offering six-figure payouts for the biggest discoveries. Google’s program disbursed a total of $17 million last year, up from $7.5 million in 2021. It paid its largest individual reward of $605,000 in 2022 to a user who spotted a vulnerability in its Android mobile operating system.
McKerchar said the rise in poor-quality submissions came from both amateurs trying to find bugs for the first time and existing researchers who were “sometimes getting led on by the [AI] agents.”
He added there was a “third cohort” of “experienced AI builders” who had developed automated “end-to-end scanning and submission systems” that were “creating absolute carnage.”
Curl’s creator, Daniel Stenberg, wrote in a blog post that the “never-ending slop” had taken “a serious mental toll to manage and sometimes also a long time to debunk.”
Software group Nextcloud suspended its bug bounty program in April because of the “massive increase of low-quality reports.” It said it hoped to resume the program once it had found a way to filter submissions effectively.
The surge in AI-generated reports comes as Anthropic last month launched Mythos, its new cyber AI model, which it says can find software flaws faster than humans.
Companies running bug bounty programs have started to introduce more stringent background checks to combat the problem, as well as building AI agents to triage submissions.