HackerOne Pauses Bug Bounties as AI-Driven Discovery Creates Remediation Backlog

HackerOne paused bug bounty programs for some open source projects after AI-assisted discovery flooded them with more valid vulnerabilities than maintainers can remediate. The bottleneck has shifted from finding bugs to fixing them — and bug bounties fund discovery, not remediation.

This signals a structural change in the economics of vulnerability disclosure driven by AI tooling. Open source maintainers and security teams should prepare for a sustained increase in valid bug reports. Triage capacity and patch velocity — not just discovery funding — are now the binding constraints in securing open source software.