A decade ago, vulnerability disclosure and “bug bounty” programs began transforming how institutions approached security research, shifting from hostility to acknowledging the necessity of external input and prompt patching. **Apple**, for instance, started with a top reward of $200,000 in 2016, which escalated to $2 million last year. However, the proliferation of agentic AI is poised to disrupt this established system. ### The AI Flood As agentic AI models become more proficient in autonomously identifying software vulnerabilities and developing exploits, vulnerability disclosure programs are experiencing an influx of submissions. This surge coincides with organizations discovering more bugs internally, altering the economics of bug bounties for both institutions and researchers. "I’ve probably submitted three times more bugs than I did last year at this time—I would suspect that a company like **Google** is going to spend two to 10 times as much on bug payouts as they did last year,” says independent security researcher **Joseph Thacker**, who uses AI in his bug hunting. Thacker notes that while tech giants can handle the increased pressure, most companies cannot. He anticipates a future decrease in submissions as AI finds the low-hanging fruit, potentially prompting companies to increase payouts again. ### The 90-Day Disclosure Deadline Under Pressure The effectiveness of AI in exploit discovery and automated system scanning may pressure developers to expedite patch releases, potentially impacting established standards like 90-day disclosure deadlines. As security researcher **Himanshu Anand** wrote, “The 90 day responsible disclosure window was built for a world where bug finders were rare and exploit development was slow. That world is gone. LLMs have compressed both timelines.” This urgency could drive improvements in how quickly organizations deploy vulnerability fixes, addressing the complex challenge of patch proliferation and its potential unintended consequences. ### AI-Facilitated Attacks on the Rise The urgency of real-world attacks facilitated by AI is growing, with both sophisticated and less-proficient actors leveraging AI to expand their capabilities and reduce costs. **Google** researchers recently observed cybercrime actors attempting to exploit a **zero-day** vulnerability developed using AI to bypass two-factor authentication on an open-source system administration platform. "We all assumed it was already happening, and this is our first evidence that it is happening,” says **John Hultquist**, Google Threat Intelligence Group chief analyst, regarding attackers using AI to discover and exploit novel vulnerabilities. Hultquist emphasizes the significant impact of more criminals gaining access to zero-day exploits, given the already high success rate of those who currently use them. ### Bug Bounty Programs Adapt For researchers earning income through bug hunting, the landscape is shifting. The command-line tool **Curl** ended its bug bounty program (run through third-party service **HackerOne**) in January due to a flood of low-quality, AI-generated submissions. "We have concluded the hard way that a bug bounty gives people too strong incentives to find and make up ‘problems’ in bad faith that cause overload and abuse,” the group wrote. **Linus Torvalds** noted that the **Linux** security mailing list has become “almost entirely unmanageable” due to high volume and duplicate AI bug reports. However, **Daniel Stenberg**, founder of Curl, noted an improvement in submission quality, with an increasing number of high-quality reports aided by AI. In April, Google announced an overhaul of its Vulnerability Reward Programs for Chrome and Android, adjusting payouts to focus on the most challenging and impactful vulnerabilities. "As the security research landscape evolves with AI, we're making changes in our programs to ensure we're rewarding the most challenging and impactful vulnerabilities in our products,” the company wrote. Jonathan Dunn, a cardiologist and bug bounty hunter, believes that highly skilled bug hunters will continue to find and be rewarded for vulnerabilities. He also stressed the need to incentivize ethical researchers to focus on public infrastructure and critical systems that may not receive adequate attention otherwise.