AI-generated submissions to bug-spotting services are creating “carnage” in some cases, a computer security researcher has said, with a surge in spurious or low-quality submissions causing some services to suspend operations.
The increase in low-quality or false submissions is coming from both amateurs using AI tools as well as experts who are sometimes being “led on” by AI agents, Sophos chief information officer Ross McKerchar told the Financial Times.
In addition to those are AI-focused developers who have created end-to-end scanning and submission systems that are “creating absolute carnage”, McKerchar said.
‘Explosion’ of slop
He and other experts said bug-bounty systems, which have grown in popularity over the past 20 years, would have to make substantial changes to account for the new trend, as AI tools become more widely used in cybersecurity.
Curl, a data transfer tool, suspended its bug-bounty programme in January, citing an “explosion in AI slop reports” and lower-quality submissions.
Bugcrowd, whose service is used by companies such as OpenAI, T-Mobile and Motorola, said the number of reports it received more than quadrupled over a three-week period in March, with most proving to be false positives.
AI-based triage
HackerOne, whose bug-reporting platform is used by Goldman Sachs, Google and the US Department of Defence, said submissions jumped 76 percent in the year to March, but reports that had indicated genuine flaws remained at the same level at 25 percent.
The company said it has introduced an AI-based validation system for sorting through “high volumes” of findings, including automated submissions.
