A recent incident involving the curl open source project has put the spotlight on a growing threat to bug bounty platforms: automatically generated, fraudulent vulnerability reports created by large language models (LLMs).
These reports, while often highly technical and plausible on the surface, lack any basis in actual code or software behavior.
The exposure of such a case this week by security researcher Harry Sintonen has highlighted both the technical sophistication of the scams and the vulnerabilities within current bug bounty workflows.
AI-Generated Reports Exploit
The fraudulent report in question, submitted to curl via the HackerOne platform, contained citations to nonexistent functions, proposed unverified patches, and outlined vulnerabilities that could not be reproduced under any circumstances.
Despite the convincing technical language, the report quickly unraveled during expert review: it described imaginary functionality, referenced fake commit hashes, and provided no actionable reproduction steps.
The scam, attributed to the @evilginx account, mirrors tactics used to target other organizations-some of which have paid bounties without rigorous vetting.
However, curl’s experienced maintainers identified the submission as AI-generated slop.
According to Sintonen, the curl team’s deep technical expertise and independence from corporate bug bounty pressure allowed them to dismiss the false report outright.
According to Socket Report, this stands in stark contrast to many under-resourced organizations, where a lack of specialized knowledge prompts hasty payments rather than detailed analysis.
The exploit here is not in software, but in human and organizational processes: attackers bank on project teams being unable or unwilling to expend the resources needed for thorough vetting.
AI Slop Threatens Vulnerability Disclosure Ecosystem
Open source and smaller teams have begun reporting a deluge of similar AI-generated submissions.
At Open Collective, software engineer Benjamin Piouffle described an increasing volume of “AI garbage” reports, which can still be filtered by their technical reviewers-for now.
The underlying concern, echoed by members of the Python Software Foundation’s security team, is that the increasing plausibility of these LLM-generated reports means valuable expert time is wasted debunking fabricated issues.
Unlike honest errors, these AI-generated fake reports are a deliberate attempt to game bug bounty systems.
By submitting convincing-but-false technical writeups, scammers exploit incentives and resource limitations, exacerbating security theater and diluting the impact of legitimate researchers.
This has damaging side effects: trust in bug bounty workflows is eroded, talented security researchers are discouraged or displaced, and organizations may retreat from vulnerability disclosure altogether.
Platforms like HackerOne face mounting criticism for failing to adequately detect and ban accounts submitting repeated AI slop.
Some have called for stronger researcher verification, more stringent report validation, or the implementation of AI-assisted triage mechanisms.
Yet, the core challenge remains human: organizations must invest in real expertise and rigorous triage if bug bounty programs are to remain credible.
The curl incident underscores the fragility of the current bug bounty landscape.
As AI-generated submissions multiply, the sustainability of open reporting and reward systems is threatened.
Without robust adaptations from both platforms and participating organizations, the foundational trust that makes coordinated vulnerability disclosure possible may be irreparably damaged.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
