AI Spam Overwhelms Bug Bounties, Exposing Crypto Security Risks

AI is swamping bug bounty programs with garbage reports — and crypto firms are caught in the crossfire. Companies and open-source projects that rely on crowdsourced vulnerability hunting are being overwhelmed by a surge of AI-generated submissions, many of which are false, misleading, or low-effort. The Financial Times reports that security teams are spending far more time triaging junk than fixing real flaws, prompting some organizations to pause or rethink public bounty programs. Why it matters for crypto: bug bounties are a frontline defense for exchanges, wallets, smart-contract platforms and other crypto infrastructure. In 2025 alone, firms including Meta, Microsoft, Apple and Crypto.com have together paid at least $58 million to researchers who responsibly disclose flaws. If bounty programs become noisy or collapse under spam, the risk window for critical blockchain and custody vulnerabilities widens — a dangerous prospect for funds and users. What’s driving the flood: generative AI makes it cheap and fast to produce mass volumes of plausible-sounding vulnerability reports. Bugcrowd, the San Francisco–based platform whose clients include OpenAI, said reports filed through its service more than quadrupled over three weeks in March — and most were fake. As a result, some organizations are already scaling back. In April, HackerOne and Nextcloud suspended paid bounty programs; Nextcloud explicitly said “no financial rewards will be awarded for any submissions, regardless of severity,” adding that the industry has “been unable to find ways to responsibly handle the massive increase of low quality reports.” “Bug bounties are going to stay [but] they’re going to have to change,” Ross McKerchar, CISO at Sophos, told the Financial Times — a view increasingly shared across security teams that need new ways to separate signal from AI-generated noise. At the same time, AI is improving the offensive and defensive sides of security. Anthropic in March revealed a cyber-focused model called Mythos, which the company says can identify vulnerabilities faster than humans. Access is currently limited to big tech firms, security companies and governments. In internal tests, Mythos (referred to as Claude Mythos) reportedly identified 271 vulnerabilities in Mozilla Firefox, and a preview version has been tied to development of an exploit against Apple’s M5 chips. Market watchers on Myriad, a prediction market run by Decrypt’s parent Dastan, give only 18% odds that Claude Mythos will be publicly released by the end of June — suggesting broader access may remain restricted for now. What this means and how the industry might respond - Short term: expect more bounty suspensions, invite-only or vetted researcher programs, and longer triage backlogs. Crypto firms that depend on public crowdsourced hunting are particularly exposed. - Medium term: security teams will likely adopt stronger submission filters, reputation-based rewards, and AI-assisted triage tools to automatically weed out low-quality reports. - Longer term: hybrid approaches — combining human reviewers, vetted expert pools, and targeted bounties for high-value targets (e.g., smart-contract audits) — may become the norm. For the crypto sector, the noise presents a fork in the road: abandon public scrutiny at your peril, or evolve bounty programs and tooling to resist AI-driven spam. Either way, organizations that can deploy smarter filtering and trusted researcher networks will be better positioned to keep protocols, wallets and exchanges secure as generative AI reshapes the vulnerability-disclosure landscape.