AI-assisted vulnerability research has exploded in recent months, unleashing a firehose of low-quality reports on overworked software maintainers who are wasting hours sifting through noise instead of fixing real problems. The phenomenon, often referred to as 'AI slop,' is drowning both open source projects and commercial bug bounty programs in a tidal wave of duplicated, irrelevant, or unsubstantiated security claims. Maintainers who once spent their limited time patching critical vulnerabilities now find themselves triaging a deluge of automated submissions—many generated by the same AI tools producing near-identical findings.
The Scale of the Problem
Linus Torvalds, the creator and longtime maintainer of the Linux kernel, recently described the situation in stark terms. In a note accompanying the latest Linux kernel release candidate, Torvalds stated that the project's security mailing list has become 'almost entirely unmanageable, with enormous duplication due to different people finding the same things with the same tools.' His frustration reflects a broader industry crisis: the barrier to entry for vulnerability research has been dramatically lowered by generative AI, but the quality of submissions has not kept pace. Instead, researchers—many with little to no security background—use large language models to scan code repositories, produce reports, and submit them en masse, often without verifying the findings, creating patches, or providing any meaningful context.
Torvalds urged contributors to add real value on top of what AI does: 'Read the documentation, create a patch too, and add some real value on top of what the AI did. Don’t be the drive-by send a random report with no real understanding kind of person.' His plea underscores a deeper issue: the open source ecosystem relies on volunteer maintainers whose numbers are finite and whose time is precious. Every hour spent evaluating a worthless report is an hour not spent fixing a real vulnerability or improving the codebase.
GitHub's Response to the Flood
Jarom Brown, Senior Product Security Engineer at GitHub, acknowledged the challenge in a public statement. While welcoming the democratization of security research, Brown highlighted that his team is being inundated with submissions that fail to demonstrate any real security impact. Common deficiencies include reports without a proof of concept, theoretical attack scenarios that collapse under scrutiny, and findings already covered by GitHub's published ineligible list. The problem is not unique to GitHub. 'Programs across the industry are grappling with the same challenge, and some have shut down entirely,' Brown noted.
GitHub has not taken the drastic step of closing its bug bounty program, but it has tightened submission requirements. Going forward, researchers must validate AI-assisted findings before sending them in. A complete submission must include a working proof of concept that demonstrates exploitation potential and concrete security impact. Reports covering known ineligible categories will be closed as Not Applicable, which may negatively affect the submitter's HackerOne Signal and reputation. Brown also urged researchers to be concise, noting that bloated, AI-padded reports slow down triage and waste everyone's time.
The Researcher Exodus
The collateral damage extends beyond the programs themselves to the community of skilled security researchers. Shubham Shah, co-founder of Assetnote and a respected figure in the field, says organizations are now taking far longer to review legitimate reports and act on real flaws. This delay is destroying the feedback loop that keeps top researchers engaged. While bug bounty platforms like HackerOne and Bugcrowd are fighting the AI spam with their own AI tools and stricter controls, Shah believes the joy of reporting vulnerabilities is dissipating rapidly. 'Hopefully the platforms actually work this out, but until then, I can’t see myself continuing to report high quality original research to certain programs where I have meaningfully contributed for a decade when they fail to understand the difference between myself and a researcher that doesn’t have any credibility,' he added.
In the near term, experienced researchers may retreat to private vulnerability research and invite-only bounties, where the signal-to-noise ratio remains high. This would be a loss for the entire security ecosystem, as these researchers are often the ones finding the most critical, complex, and novel vulnerabilities.
Open Source: The Brunt of the Burden
The AI-powered 'industrialization' of vulnerability discovery is a much bigger problem for open source projects than for large organizations like Microsoft or Google. Big companies can afford dedicated security teams, sophisticated triage tools, and automation to filter junk. Open source projects rely on volunteer maintainers, whose number and time are severely limited. These limitations have led some projects to abandon traditional bug bounty programs entirely.
The cURL project provides a telling example. In late 2025, lead developer Daniel Stenberg announced that cURL would stop accepting submissions via HackerOne and eliminate monetary rewards for security reports. Stenberg hoped this would remove the incentive for submitting AI slop. The project switched to receiving reports via GitHub and email, but that approach proved less effective. After a month, cURL returned to HackerOne but maintained the decision to stop offering bounties. The result was striking: the slop problem disappeared almost overnight. The number of reports actually rose, their quality improved—even if many were still compiled with AI assistance—and the rate of confirmed vulnerabilities surpassed the pre-AI level of 2024.
Stenberg noted that while the change was welcome, the increased influx of genuinely good vulnerability reports presents a new challenge for open source projects. 'This avalanche is going to make maintainer overload even worse. Some projects will have a hard time to handle this kind of backlog expansion without any added maintainers to help,' he pointed out. In other words, AI may now be producing higher-quality findings, but there are still too many of them for small teams to handle.
Platforms and Industry Responses
In the wake of cURL's departure and return, HackerOne acknowledged the problem. Michiel Prins, Co-founder and Senior Director of Product Management at HackerOne, told Help Net Security that preserving signal quality is critical as AI makes it easier to automate submissions. 'Our focus is helping programs manage that shift with workflows that filter noise early, surface credible reports, and keep vulnerability management sustainable, so open source communities can maintain the transparency and resilience they’re known for,' Prins stated. HackerOne advises customers to refine submission scope and guidelines, use AI-assisted triage tools, and pair automation with human oversight.
The Open Source Security Foundation's Vulnerability Disclosures Working Group is also seeking community feedback as it works to help maintainers tackle AI-generated junk reports. Its goals include compiling best practices, creating policy templates, and developing guidance to help maintainers recognize and handle AI-assisted submissions. These efforts are still in early stages, but they represent a coordinated attempt to save open source from being buried in noise.
Beyond individual projects and platforms, the broader security community is debating long-term solutions. Some argue for mandatory researcher certification or reputation systems that weight submissions based on track record. Others propose that AI tools themselves should be required to include metadata about how a finding was generated, making it easier for triagers to evaluate credibility. Still others believe the only sustainable answer is for large tech companies to fund dedicated triage teams for critical open source dependencies, similar to the concept of a 'security steward' or 'maintainer relief' fund.
The underlying problem, however, is not just technical but economic. Bug bounties were designed to incentivize discovery, but when AI can generate thousands of low-cost reports, the incentive structure breaks down. Projects that have eliminated or reduced bounties have seen improvements, but that may simply shift the problem elsewhere. The open source community urgently needs scalable solutions that preserve the benefits of AI-assisted research—lowering the barrier to entry, enabling more thorough code analysis—while filtering out the noise that threatens to overwhelm the system.
Source: Help Net Security News