HackerOne Logs 85,000 Valid Bug Reports in 2025 as AI Tools Flood Platforms

HackerOne pulled in 85,000 valid bug bounty submissions last year. That’s a 7% jump from 2024, and the company’s pretty clear about what drove it: artificial intelligence.

The bug bounty platform, one of the biggest in the space, saw AI reshape how security researchers hunt for vulnerabilities. More tools meant more reports. But it also meant more noise. HackerOne didn’t spell out exact figures on what it calls “slop”—reports that don’t quite hit the mark—but sources close to the platform say the volume of low-quality submissions climbed alongside the valid ones. AI can churn out reports fast. Too fast, maybe.

AI Sharpens Detection but Muddies the Water

Artificial intelligence changed the game for bug hunters in 2025. Researchers leaned hard on AI-powered scanners and analysis tools to spot flaws in code. The tech can rip through codebases in minutes, flagging potential issues that might take humans hours or days to find. Companies using HackerOne’s platform saw the benefits—more eyes, or at least more algorithmic eyes, on their software.

But there’s a flip side. The same tools that boost efficiency also flood the system. Not every AI-flagged issue turns out to be a real problem. Some submissions lack context. Others miss the severity mark. And a chunk of them? They’re duplicates or false positives dressed up in technical language. The platform hasn’t said how much of the incoming flow falls into that bucket, but industry chatter suggests it’s not small.

Bug bounty programs depend on quality, not just quantity. A thousand mediocre reports don’t help if the real critical vulnerabilities get buried in the pile. HackerOne’s challenge now is sorting the wheat from the chaff without slowing down response times for legitimate finds.

Filtering Gets Harder as Volume Climbs

The 7% uptick sounds modest. It’s not. When you’re already processing tens of thousands of submissions annually, even a small percentage increase means thousands more reports to review, validate, and route to the right teams. HackerOne’s triage process—the first line of defense in separating serious bugs from noise—faces mounting pressure.

Platforms like HackerOne typically use a mix of automated checks and human reviewers to assess incoming reports. The automated side can catch obvious duplicates or submissions that don’t meet basic criteria. The human side handles the nuanced stuff: Is the exploit actually exploitable? Does it pose real risk? What’s the impact if someone weaponizes it?

AI-generated reports complicate that workflow. They often look legitimate on the surface. The language is technical. The formatting is clean. But the substance can be thin. Reviewers spend time digging into reports that ultimately don’t pan out, and that time costs money and delays feedback to researchers who did find something real.

No clear word yet on how HackerOne plans to tackle the slop problem. The company hasn’t announced new filtering tech or changes to its submission guidelines. Maybe they’re working on it quietly. Maybe they’re still figuring it out.

Ethical Hackers Lean Into AI Tools

The researcher community embraced AI hard in 2025. Tools like GitHub Copilot, ChatGPT, and specialized security scanners became standard kit for bug hunters. Some researchers built custom AI models trained on vulnerability databases to spot patterns in code. Others used AI to automate reconnaissance—the early phase of testing where you map out a target’s attack surface.

See also: Fake Cops Force Victim to Hand Over $1 Million in Bitcoin During Brazen Home Invasion

It’s faster work, basically. A researcher can scan multiple targets in the time it used to take to manually probe one. That efficiency explains part of the submission surge. More researchers can participate in more programs simultaneously, boosting overall output.

But speed doesn’t always equal skill. Veterans in the bug bounty scene worry that AI lowers the barrier to entry too much. Someone with limited security knowledge can now generate reports that sound plausible, even if the underlying analysis is weak. That floods platforms with submissions from less experienced hunters, mixing in with work from seasoned pros.

HackerOne didn’t break down its 85,000 valid reports by researcher experience level. It’s unclear how many came from repeat contributors versus newcomers. The platform also didn’t share data on rejection rates or how many submissions got flagged as duplicates or low-quality.

What Companies Are Paying For

Bug bounty programs aren’t cheap. Companies pay researchers based on the severity and impact of the vulnerabilities they find. Critical bugs—the kind that could lead to data breaches or system takeovers—can fetch five-figure payouts or more. Lower-severity issues might bring a few hundred dollars.

The rise in submissions means companies are potentially paying out more, but only if those submissions are valid and unique. If the slop rate is climbing, companies might be paying platform fees for a higher volume of reports without seeing proportional security improvements. That’s a tough sell for CFOs already skeptical about bug bounty ROI.

HackerOne’s revenue model typically involves fees from client companies plus a cut of bounty payments. More submissions can mean more revenue, but only if the platform maintains trust. If companies start seeing too much noise, they might pull back budgets or shift to invite-only programs with vetted researchers.

Related: Kelp DAO Hack Triggers Finger-Pointing Over $290 Million Crypto Loss

The Quality Question Lingers

Eighty-five thousand valid reports sounds impressive. It is, kind of. But the word “valid” does a lot of work in that sentence. Valid doesn’t necessarily mean high-impact. A valid report might be a minor configuration issue or a low-risk informational finding. Those matter, sure, but they’re not the critical vulnerabilities that keep security teams up at night.

HackerOne hasn’t published a breakdown of its 2025 submissions by severity. No word on how many were critical, high, medium, or low. That data would paint a clearer picture of whether the 7% increase actually moved the needle on security or just added volume.

Platforms need to walk a fine line. Reject too many reports and you discourage researchers. Accept too many low-quality submissions and you overwhelm clients. Getting that balance right is harder when AI keeps shifting the baseline.

The bug bounty world is watching to see how HackerOne adapts. Other platforms face the same pressures. AI isn’t going away, and neither is the slop problem. Companies that figure out smarter filtering and better researcher incentives will probably win. The ones that don’t? They’ll drown in reports that don’t matter.