AI Is Turning Bug Hunting Into a Faster, Costlier Arms Race
AI is reshaping bug hunting
A decade after bug bounty programs moved from niche security practice to mainstream corporate policy, a new wave of AI tools is upending the economics of vulnerability research. Agentic AI systems are becoming better at both finding software weaknesses and developing exploits, flooding disclosure programs with more submissions even as organizations uncover more bugs on their own.
The result is a sharpening arms race between researchers, companies and attackers. Independent security researcher Joseph Thacker, who has built tools and methods for using AI in his own work, said he has submitted roughly three times more bugs than he had by this point last year. He expects the pressure to hit large companies first.
"I would suspect that a company like Google is going to spend two to 10 times as much on bug payouts as they did last year," Thacker said.
He added that big technology companies can absorb the increase, but many others cannot. In his view, AI systems are already finding easier vulnerabilities, and next year there may be fewer low-hanging bugs left to submit because many of them will already have been found.
Disclosure deadlines under pressure
The shift is also challenging long-standing norms around responsible disclosure. Security researcher Himanshu Anand wrote earlier this month that the 90-day disclosure window was built for a world where bug finders were rare and exploit development was slow, adding that large language models have compressed both timelines.
That compression could push developers to release patches faster, especially if attackers are able to discover and weaponize flaws more quickly than before. It may also force organizations to improve how quickly they deploy fixes internally, a process that has always been difficult because patches can create new problems if they are rolled out without enough testing.
Bug bounty programs themselves have already evolved dramatically. When Apple launched its bounty in 2016, its top reward was $200,000. The company raised that to $1 million in 2019 and then to $2 million last year.
Now, with AI increasing both the supply of bugs and the speed of exploit creation, researchers say the next phase of vulnerability research is likely to look very different from the one that came before it.
Sources: