AI floods crypto bug bounty programs with reports and false alarms

Crypto teams are seeing a rise in bug bounty submissions as artificial intelligence tools make it easier to scan code and draft reports. 

At the same time, many protocols say the growing volume includes more low-quality or inaccurate findings, which is making review work harder.

Bug bounty programs reward security researchers for reporting software flaws before attackers exploit them. In crypto, these programs have become a common part of security efforts because protocols often manage large amounts of user funds and operate through open-source code.

Barry Plunkett, co-CEO of Cosmos Labs, said AI is changing how bug bounty programs work. He said the company’s program saw a sharp rise in volume over the past year.

“Our program has seen a 900% increase in submission volume from last year, on the order of 20-50 per day,” Plunkett noted.

He added that the rise included both valid and invalid reports, creating more work for teams trying to separate real issues from weak claims.

Kadan Stadelmann, chief technology officer at Komodo Platform, also said he has seen growth in bug bounty submissions and payouts across organizations. He said some recent reports appeared to be low quality and in some cases may have been false positives.

”There has definitely been an increase in low-quality bug bounty submissions, some of which have been false positives, potentially suggesting AI sourcing,” Stadelmann told Cointelegraph.

He added that AI may have lowered the cost and effort required to produce a report, leading to more submissions.

AI helps researchers but adds more noise

AI tools can help researchers review large amounts of code and point to possible vulnerabilities more quickly. That has made it easier for security researchers to join bounty programs and send findings to protocols.

However, AI systems can also generate inaccurate results. In bug bounty work, that can mean teams receive reports that sound technical but do not describe real flaws. This adds pressure on developers and security staff who must review each claim.

The wider trend is visible beyond crypto. In January, Daniel Stenberg, creator of the open-source tool curl, said he was ending his bug bounty program after dealing with what he described as an influx of ”AI slop in vulnerability reports.”

HackerOne, one of the largest bug bounty platforms, reported in January that it recorded 85,000 valid bounty submissions in 2025. That figure was up 7% from the previous year.

Platforms tighten review standards

As submission volumes rise, some crypto teams are changing how they run bounty programs. Plunkett said Cosmos Labs has tightened how it scores incoming reports and now gives more weight to trusted researchers with a strong record.

He also said the company is working with bug bounty providers that offer more advanced triage support. That step is meant to help reduce the time spent reviewing weak or duplicate submissions.

These changes show that teams are trying to keep bounty programs useful while managing the extra load created by AI-assisted reporting. Programs still need outside researchers, but they also need stronger filters.

Security teams may turn to AI for defense

Stadelmann said AI may also become part of the answer. He said smaller teams may struggle most because they have fewer engineers available to review large numbers of submissions.

”Blockchain teams will have to create AI deterrents to sift through incoming bug bounties,” He said.

He added that defensive AI systems could help sort reports and reduce the burden on internal teams.

Stadelmann also said protocols may need stricter standards for submissions to lower the number of weak reports. As AI tools spread, bug bounty programs are likely to stay active, but teams may need new processes to manage the growing flow.