Artificial intelligence is dramatically inflating the volume of bug bounty reports hitting crypto protocols, and security teams are struggling to separate genuine threats from machine-generated noise. Barry Plunkett, co-CEO of Cosmos Labs, said on X Tuesday that his program has seen a 900% increase in submission volume compared to last year, receiving between 20 and 50 reports per day.
Plunkett was responding to a bug bounty hunter who accused the protocol of ignoring a vulnerability report. He acknowledged the surge has produced both valid and invalid submissions in higher numbers, adding pressure on teams trying to triage what actually poses a risk.
An Industry-Wide Strain on Security Triage
The broader trend is documented. HackerOne reported in January that 85,000 valid bounty submissions were logged across its platform in 2025, a 7% increase from the prior year. That figure covers only validated reports, meaning the raw inflow of submissions, many of them AI-generated and discarded, runs considerably higher.
The problem is not limited to crypto. In January, Daniel Stenberg, the creator of the widely used open-source data transfer tool curl, announced he was shutting down his bug bounty program entirely. Stenberg cited an exhausting flood of what he called “AI slop” in vulnerability reports, saying the volume made the program unsustainable.
Curl is embedded in a large number of applications, including blockchain infrastructure, making Stenberg’s decision a signal that resonated well beyond the open-source software community.
Crypto Teams Begin Adapting
Plunkett said Cosmos Labs has already begun adjusting its processes in response to the influx. The team is tightening its submission scoring methodology, prioritizing researchers with established track records, and partnering with bug bounty providers that offer more advanced automated triage tools.
Kadan Stadelmann, chief technology officer at Komodo Platform, said he has observed a similar rise in submissions and payouts across the industry. He described bug bounty programs as essential to defending decentralized systems but warned that smaller teams face a disproportionate burden as submission volumes grow.
“Blockchain teams will have to create AI deterrents to sift through incoming bug bounties,” Stadelmann said. “The smaller the team, the bigger the problem of increased bug bounties will become.
Software engineers won’t have the capacity to examine everything.”
His proposed remedy is direct: use AI to counter AI. Deploying machine-assisted triage to filter inbound reports before they reach human reviewers could give under-resourced teams a fighting chance at catching real vulnerabilities without burning out staff on phantom ones.
The tension cuts both ways. AI tooling has made it meaningfully easier for legitimate security researchers to scan large codebases and surface genuine flaws that might otherwise go undetected.
The same capability, in less careful hands, produces a wave of plausible-sounding but fabricated or hallucinated vulnerability claims that consume finite security bandwidth.
For crypto protocols managing live assets, the cost of missing a real exploit is severe, which makes every low-quality submission a compounding risk rather than a minor inconvenience.
Not Financial Advice: This article is for informational purposes only. Crypto investments are highly volatile. Always do your own research.
