The Internet Bug Bounty program “has been paused for new submissions,” HackerOne announced last week.
The program, which has been running since 2012, is funded by some leading software companies, and has awarded more than $1,5 million to researchers who have reported bugs.
Until now, 80% of its payments have gone to discovering new vulnerabilities and 20% to supporting remediation efforts. But as artificial intelligence makes it easier to find bugs, that balance needs to change, HackerOne said in a statement.
“AI-powered research is expanding vulnerability discovery across the ecosystem, increasing both coverage and velocity. The balance between discovery and remediation in open source has fundamentally shifted,” HackerOne says.
Among the first projects to be affected is the Node.js project, a server-side JavaScript platform for web applications known for its extensive ecosystem. While the project team will continue to accept and sort bug reports through HackerOne, without funding from the Internet Bug Bounty program it will no longer pay out bounties, according to a statement on its website…
Just last month, Google also stopped submissions generated by Artificial Intelligence to its Open Source Software Vulnerability Reward Program.
The Internet Bug Bounty emphasized that “We have a responsibility to the community to ensure that this program effectively achieves its ambitious dual purpose: discovery and remediation. Accordingly, we are pausing submissions while we consider the structure and incentives needed to advance these goals…”
“We remain committed to strengthening open source security. In collaboration with project maintainers and researchers, we are actively evaluating solutions to better align incentives with the realities of the open source ecosystem and to ensure that vulnerability discoveries translate into sustainable remediation outcomes.”
Although the press releases will range from very select to rare, I said I'd pass...because sometimes the editors hide.
