How AI Is Fueling a Bug Hunting Arms Race

Bug Hunting Arms Race is no longer a metaphor. It is the new reality of vulnerability disclosure, and it is accelerating on both sides of the digital fence. Agentic AI models are now autonomously identifying software weaknesses and cooking up exploits, deluging bounty programs with submissions just as organizations find more bugs than ever internally. The economics are cracking. For some researchers, income is spiking. For maintainers, the pressure is existential.

The Surge Nobody Budgeted For

Independent security researcher Joseph Thacker says Google might spend two to 10 times as much on bug payouts this year, and he's submitted three times more bugs than he did at this point last year. The tools make it possible. So he built methods that let AI relentlessly hunt flaws in major software, and the findings are landing fast.

“I’ve probably submitted three times more bugs than I did last year at this time , I would suspect that a company like Google is going to spend two to 10 times as much on bug payouts as they did last year. They can handle that pressure, but most companies can’t.”

Thacker argues that a lot of the easy pickings will already be snagged, so today's flood of low- and medium-severity findings will thin out next year, and some organizations will raise payouts again to attract talent for the harder bugs. We can't know exactly how the long-term supply-and-demand will settle. The immediate shock is real.

A Criminal Zero Day, Confirmed

While researchers battle triage queues, attackers are arming themselves quietly. Earlier this month, Google researchers disclosed that they'd observed prominent cyber crime threat actors attempting to exploit a zero-day crafted with AI help to bypass two-factor authentication on an open source system administration platform. They declined to identify the actors. Google notified the developer. But a fix shipped quickly.

For John Hultquist, chief analyst at Google Threat Intelligence Group, that incident is not a surprise. It is a line in the sand.

“We all assumed it was already happening, and this is our first evidence that it is happening. Zero-day use by criminal actors has been fairly limited, and the ones that do use them tend to be really successful, so I think we shouldn’t underestimate the impact of more criminals with a zero day in their hands.”

Hultquist concedes nation state attacks are serious, but the sheer volume of incidents organizations face still comes from criminal gangs, and more of those gangs with AI-derived zero days could rewrite risk overnight. So don't underestimate them.

The Death of 90 Days

The old covenant's buckling. But for years, responsible disclosure operated on a 90-day clock, a window that gave vendors time to prepare patches before flaws went public; security researcher Himanshu Anand laid out the math bluntly: that world's gone. Large language models have compressed both the discovery of bugs and the speed of exploit development.

“The 90 day responsible disclosure window was built for a world where bug finders were rare and exploit development was slow. That world is gone. LLMs have compressed both timelines.”

The implication hangs heavy. Developers may soon feel relentless pressure to cut patch release cycles. And while faster patching sounds like pure good, it collides with a brutal truth: pushing untested updates at scale can cause outages, exactly the kind of unintended consequence that keeps infrastructure engineers awake at night.

The Bug Hunting Arms Race Reaches Maintainers

The overload is not theoretical. Curl, the command-line tool, killed its bug bounty program through HackerOne in January. AI-generated low-quality reports made it unbearable. “We have concluded the hard way that a bug bounty gives people too strong incentives to find and make up ‘problems’ in bad faith that cause overload and abuse,” the project wrote. Linus Torvalds announced that the Linux kernel’s security mailing list had become “almost entirely unmanageable” because of high volume and duplicate AI reports.

But that framing misses something.

Quality pivot arrived by April. Daniel Stenberg, Curl's founder and lead developer, posted on LinkedIn that the AI slop vanished, but instead his team received a torrent of solid reports, nearly all AI-assisted, at a frequency no one'd ever seen. The load was serious. But the signal was real.

• Curl’s bug bounty ended, then quietly saw an upswing in valuable AI-aided reports outside the formal program.
• Linux maintainers remain swamped, but the problem mutated from noise to a flood of legitimate, exploitable findings.

Who Pays for Better Bugs?

Google redrew the map. But at the end of April, the company overhauled its Vulnerability Reward Programs for Chrome and Android. They lowered payouts for some bug classes while boosting others, the announcement read as security research landscape evolves with AI they're making changes to ensure rewarding the most challenging and impactful vulnerabilities in their products.

Jonathan Dunn, a cardiologist who also hunts bugs, insists it's true the top tier will survive and that ninety-percentile hunters with rare skills will always command payouts from giants. He worries about unwatched systems.

“Even with AI, we also need to heavily incentivize ethical researchers to find stuff on public infrastructure and other critical systems that otherwise may not get enough attention from defenders.”

Alex Zenla, CTO of cloud security firm Edera, adds a necessary check: this new dynamic still demands human judgment, and AI discovers and augments. It doesn't replace analyst's brain. But Anthropic rolled out its own HackerOne bounty, inviting researchers to probe its Claude models, proof that even AI builders are in the arms race and trying to stay a step ahead.

The Engineer’s Escape Hatch

It's a doomed strategy. A growing chorus of seasoned voices argues this, and longtime security engineer Niels Provos puts it without sugarcoating, saying, "You can't patch your way out of this. You need to build infrastructure that makes as many bugs as possible irrelevant.

The Bug Hunting Arms Race has forced a reckoning beyond rewards and triage dashboards. It's pushing defenders to design systems where entire classes of vulnerabilities become unexploitable regardless of whether the bug report arrives from a human or a tireless AI agent. But discovery and exploitation timelines are collapsing, so the only durable move is to stop treating bugs as surprises and start engineering resilience into the ground floor. Don't treat bugs as surprises.

Frequently Asked Questions

What is the bug hunting arms race?

It's the escalating competition between security researchers and malicious hackers, fueled by AI tools that both sides use to find and exploit software vulnerabilities faster.

How is AI changing bug hunting?

AI automates vulnerability discovery, code analysis, and exploit generation, making bug hunting faster and more scalable for both ethical hackers and attackers.

Are AI-powered bug hunters replacing human researchers?

No, AI augments human expertise by handling repetitive tasks, but human creativity and context are still crucial for complex vulnerability analysis.

What are the risks of AI in bug hunting?

AI lowers the barrier for attackers, enabling automated exploit creation and zero-day discovery, which can outpace defensive patches.

How can companies defend against AI-driven bug hunting?

They must adopt AI-powered security tools, invest in continuous monitoring, and collaborate with ethical hackers through bug bounty programs.