Crypto protocols are experiencing a surge in bogus bug bounty submissions due to increased use of AI, complicating efforts to identify genuine threats. Bug bounties reward ethical hackers for reporting vulnerabilities and are widely used in the crypto industry. While AI can efficiently scan large codebases for bugs, it also tends to generate inaccurate submissions.
Barry Plunkett, co-CEO of Cosmos Labs, reported a 900% increase in bug bounty submissions, averaging between 20 and 50 per day. He noted that this uptick has resulted in a significant rise in both valid and invalid reports. “AI is changing the way that bug bounty programs must operate,” Plunkett stated in response to concerns raised by a bug bounty hunter.
I'm posting a response on behalf of Cosmos Labs.
This is not a security vulnerability. However, it is a bug that the team will address in due course.
There’s no risk to consensus, liveness, or funds as a result of this bug. Furthermore, the reported behavior only shows up if…
— barry (@BPIV400) April 21, 2026
Daniel Stenberg, creator of the open-source tool curl, announced in January the termination of his bug bounty program due to overwhelming quantities of “AI slop in vulnerability reports.” Stenberg expressed frustration with the amount of time spent sifting through inauthentic submissions.
HackerOne, a leading bug bounty platform, reported that there were 85,000 valid report submissions in 2025, a 7% increase compared to the previous year. This growth highlights the ongoing challenges faced by teams in managing bug bounty programs amid an increasing volume of submissions.
In response, Cosmos Labs is modifying its approach by tightening submission scoring and prioritizing submissions from trusted researchers. Plunkett emphasized the need for collaboration with other providers to enhance submission triage processes.
