@bagder writes about his AI slop problem on H1: https://daniel.haxx.se/blog/2025/07/14/death-by-a-thousand-slops/

I like bug bounties and I put a fair amount of effort into bootstrapping the one at Google back in the day, but I think the problem runs deeper than AI.

First, most people who make a living doing bug bounties don't go after $10,000+ bugs. Very few researchers can crank out top-notch find month after month. A much better strategy on these platforms is to go after low-hanging fruit and rake in $500 to $1,000 bugs every day.

Companies respond accordingly! Because most of the traffic are low-value vulns from less skilled researchers, you don't want to throw your best analysts at this. It's increasingly common to outsource triage and bug-filing for bug bounty programs.

But if the person doing the triage isn't highly paid and familiar with the systems in question, there is a strong incentive to err on the side of caution. If you incorrectly close something serious as a non-issue, you risk the researcher making a stink. Conversely, if the triager files a non-issue with the product team, they'll probably fix it anyway, and the only cost is some wasted time.

The result is that in most programs, there's no penalty for slop. And researchers exploit this with spray-and-pray tactics. Why not?

I think one issue here are platforms that make it easy to window-browse for bug bounty programs. They have plenty of advantages, but it's a race to the bottom because the least diligent vendors set the bar for participation for all.

"I was explaining to my Ukrainian colleague the phrase ‘There’s no such thing as a free lunch’. She told me the equivalent in Ukrainian is ‘The only free cheese is in the mousetrap’ - which is so much better"

-found on Bluesky