AI Floods Crypto Bug Bounty Programs With Bogus Reports, Straining Review Teams

Crypto protocols and security platforms are reporting a surge in “bug bounty” submissions tied to the growing use of artificial intelligence, while warning that the volume is also bringing more low-quality reports and false alarms.

“Crypto protocols have warned that an increase in AI use has led to a flood of bogus bug bounty submissions, putting a strain on teams trying to identify real threats to their protocols”

Cointelegraph

Cointelegraph reports that crypto protocols have warned that an increase in AI use has led to “a flood of bogus bug bounty submissions,” putting “a strain on teams trying to identify real threats to their protocols.”

Cointelegraph

In the same reporting, Cointelegraph explains that bug bounties reward “good” hackers for submitting reports about potential vulnerabilities, and that AI has made it easier to sift through large amounts of code to find possible bugs even as AI is “also known to hallucinate.”

crypto.news similarly frames the trend as AI tools making it easier to scan code and draft reports, while “false positives are rising too.”

TradingView repeats the same core reporting, stating that “AI drives surge in ‘bug bounty’ reports, but the ‘slop’ is rising too,” and quotes the same participants about the strain on review teams.

Across the three outlets, the central operational problem is not just more submissions, but more submissions that require additional triage to separate real issues from weak claims.

The clearest quantitative signal comes from Cosmos Labs, where Barry Plunkett, co-CEO, says the company’s bug bounty program has experienced a dramatic increase in submission volume.

Cointelegraph reports that Plunkett told a bug bounty hunter who accused the protocol of ignoring their vulnerability report that “Our program has seen a 900% increase in submission volume from last year, on the order of 20-50 per day.”

crypto.news

crypto.news repeats the same figures, stating that Plunkett said the rise in volume forced “stricter review and triage processes,” and that the increase included both valid and invalid reports.

In Cointelegraph’s account, Plunkett adds that the surge has “led to a huge increase in both valid and invalid reports,” creating more work for teams trying to separate real issues from weak claims.

The reporting also links the volume change to AI’s ability to reduce the cost and effort required to produce reports, which can increase the number of submissions even when many are not actionable.

Cointelegraph quotes Kadan Stadelmann, a blockchain developer and chief technology officer at Komodo Platform, saying there has been “an increase in low-quality bug bounty submissions, some of which have been false positives, potentially suggesting AI sourcing.”

crypto.news similarly attributes the low-quality influx to AI lowering the cost and effort required to produce a report, leading to more submissions.

Beyond individual protocols, the reporting points to broader platform-level metrics that show how large the bug bounty pipeline has become.

“AI drives surge in ‘bug bounty’ reports, but the ‘slop’ is rising too Crypto protocols have warned that an increase in AI use has led to a flood of bogus bug bounty submissions, putting a strain on teams trying to identify real threats to their protocols”

TradingView

Cointelegraph says HackerOne, “one of the largest bug bounty platforms in the world,” reported in January that there were “85,000 valid bounty submissions in 2025, up 7% from the previous year.”

crypto.news repeats the same HackerOne figures, again stating “85,000 valid bounty submissions in 2025” and “up 7% from the previous year.”

The outlets also connect the rise to the way AI changes the mechanics of vulnerability research, including how AI can help researchers review large amounts of code and draft reports more quickly.

Cointelegraph describes AI as making it easier to sift through large amounts of code to find possible bugs, while also noting that AI is “also known to hallucinate.”

crypto.news adds that AI tools can help researchers review large amounts of code and point to possible vulnerabilities more quickly, but that AI systems can generate inaccurate results that “sound technical but do not describe real flaws.”

The reporting also includes a separate example from outside crypto: in January, Daniel Stenberg announced he was ending his bug bounty program because of an influx of “AI slop in vulnerability reports.”

In response to the increased noise, the outlets describe protocols adjusting how they evaluate and prioritize bug bounty reports, with Cosmos Labs cited as already changing its approach.

Cointelegraph reports that Plunkett said Cosmos Labs has started to adapt by “tightening how it scores submissions,” “prioritizing trusted researchers with a proven track record,” and “working with other bug bounty providers that offer more advanced triage.”

Cointelegraph

crypto.news similarly says Plunkett described Cosmos tightening how it scores incoming reports and giving more weight to trusted researchers with a strong record, with the goal of reducing time spent reviewing weak or duplicate submissions.

The reporting further emphasizes that defensive processes may need to evolve beyond manual review, especially for smaller teams that cannot examine everything.

Stadelmann’s comments in Cointelegraph and crypto.news both stress that “Software engineers won't have the capacity to examine everything,” and that “Blockchain teams will have to create AI deterrents to sift through incoming bug bounties.”

In Cointelegraph’s version, Stadelmann adds that “This is where defensive AI systems to automatically sift through incoming bug bounties will be crucial,” while crypto.news describes defensive AI as potentially helping teams filter weak bug reports and find real threats.

Across the accounts, the operational theme is that bug bounty programs remain integral to defending decentralized systems, but the intake pipeline is changing enough that scoring, triage, and filtering are becoming central.

The reporting suggests that the bug bounty ecosystem is likely to keep operating, but with new constraints and defensive tooling to handle the increased volume and the risk of inaccurate submissions.

“Crypto teams are seeing a rise in bug bounty submissions as artificial intelligence tools make it easier to scan code and draft reports”

crypto.news

Cointelegraph says Stadelmann argued that bug bounty programs have proven integral to defending decentralized systems, and that adopting AI to assist in sifting through the noise could be a solution.

crypto.news

In that same account, Stadelmann warns that “The smaller the team, the bigger the problem of increased bug bounties will become,” tying the operational burden to staffing and capacity.

Cointelegraph also states that teams dependent on bug bounties “will need to develop stricter standards on their bug bounty programs as a means of lowering the number of incoming reports.”

crypto.news echoes the idea that programs still need outside researchers, but they also need stronger filters, and it describes the wider trend as likely to continue as AI tools spread.

TradingView’s version keeps the same framing by emphasizing that AI is changing how bug bounty programs must operate and by repeating the “slop” language around vulnerability reports.

The story also includes a concrete example of how individuals are reacting to the noise: Daniel Stenberg said he was ending his bug bounty program due to an influx of “AI slop in vulnerability reports,” and he was exhausted from sifting through them.