Firehose of ‘false positives’: Gunter Ollmann, CTO at Cobalt.io, warns that AI is exacerbating the existing problem that comes from vendors getting swamped with often low-quality bug submissions.Security researchers turning to AI is creating a “firehose of noise, false positives, and duplicates,” according to Ollmann.”The future of security testing isn’t about managing a crowd of bug hunters finding duplicate and low-quality bugs; it’s about accessing on demand the best experts to find and fix exploitable vulnerabilities, as part of a continuous, programmatic, offensive security program,” Ollmann says.Trevor Horwitz, CISO at UK-based investment research platform TrustNet, adds: “The best results still come from people who know how to guide the tools. AI brings speed and scale, but human judgment is what turns output into impact.”Gal Nagli, head of threat exposure at cloud security vendor Wiz and a bug bounty hunter, tells CSO that AI tools are yet to make a dramatic difference in bug bounty hunting, at least when it comes to more skilled practitioners. For example, researchers who automate infrastructure-based vulnerabilities at scale, like default credentials or subdomain takeovers, already have reliable tooling and detections in place. “AI isn’t needed in those cases,” Nagli says.”The real value of AI is in augmenting expert researchers, especially when testing authenticated portals or analyzing sprawling codebases and JavaScript files,” Nagli explains. “It helps uncover vulnerabilities that were previously too complex or subtle to detect without AI.”The latest generation of models can provide real assistance to skilled bug bounty hunters, not by replacing them, but by enhancing what they’re able to find.”Fully autonomous agents still struggle, especially with authentication and scenarios where human context is critical,” Nagli adds.
Enterprise risk management: Bug bounty programs have matured into extensions of enterprise risk management strategies by constantly surfacing real threats before attackers exploit them.Security leaders are moving toward continuous, data-driven exposure management, combining human intelligence with automation to maintain real-time visibility across assets, supply chains, and APIs.HackerOne reports 83% of organizations surveyed now use bug bounties, and payouts grew 13% year-over-year, reaching $81 million across all programs.As common vulnerability types like cross-site scripting (XSS) and SQL injection become easier to mitigate, organizations are shifting their focus and rewards toward findings that expose deeper systemic risk, including identity, access, and business logic flaws, according to HackerOne.HackerOne’s latest annual benchmark report shows that improper access control and insecure direct object reference (IDOR) vulnerabilities increased between 18% and 29% year over year, highlighting where both attackers and defenders are now concentrating their efforts.”The challenge for organizations in 2025 will be balancing speed, transparency, and trust: measuring crowdsourced offensive testing while maintaining responsible disclosure, fair payouts, and AI-augmented vulnerability report validation,” HackerOne’s Hazen concludes.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4082265/ai-powered-bug-hunting-shakes-up-bounty-industry-for-better-or-worse.html
