HackerOne’s Internet Bug Bounty now pays $297 for a medium-severity vulnerability — down from $1,843 — and the program is paused while the company retools how it awards cash to researchers.
HackerOne's IBB payout cuts and temporary pause
The Internet Bug Bounty (IBB) program has been placed "on a break" and is "currently paused while we evaluate adjustments to the program that will maximize value to researchers, sponsors, and the open-source ecosystem," a HackerOne spokesperson told The Register. The change is accompanied by steep reductions in headline payouts: critical vulnerabilities that previously paid $9,250 now fetch $2,257; high severity went from $4,429 to $1,009; medium from $1,843 to $297; and low severity from $597 to $68.
When asked if AI-generated reports played a role in the pause and reduced reward amounts, the spokesperson did not answer directly. Instead, they said, "The Internet Bug Bounty is a unique, dynamic program where bounty levels automatically adjust based on the contributions from active participating sponsors" and that "payouts under this program are regularly adjusted accordingly, as provided in the IBB program description." The IBB remains closed to new submissions while these adjustments are evaluated.
Two researchers, delayed payments, and changing expectations
The payout changes have coincided with a backlog of pending rewards. The Register reported that researcher Jakub Ciolek, who submitted two denial-of-service bugs in Argo CD via the IBB last fall, expected about $8,500 for the two flaws but was ghosted for months. HackerOne told Ciolek his reports remained "pending reward processing due to a temporary operational backlog."
A second researcher in a similar situation finally received a payout after The Register intervened, but at the reduced medium-severity rate of $297. "I am glad I finally got something," that bug hunter told The Register. Ciolek, by contrast, said he is still waiting for any word and emphasized that his grievance is not only financial. "The reduced payout is a symptom," he told The Register. "The economics of vulnerability reporting are changing very quickly."
AI-assisted reporting: higher quality, higher volume, harder to manage
Multiple maintainers and researchers cited by The Register describe a recent shift in the character of incoming reports: models that once produced "AI slop" are now delivering higher-quality, scalable findings that create workload problems for those who must triage them. Daniel Stenberg, founder and lead developer of curl, posted that his project "stopped getting AI slop security reports" and now receives "an ever-increasing amount of really good security reports, almost all done with the help of AI." Linux kernel maintainer Greg Kroah-Hartman told The Register that AI-assisted reports contained "less slop and more valid concerns."
Linux creator Linus Torvalds described the kernel project's security mailing list as "almost entirely unmanageable" due to multiple researchers using AI to find bugs and filling the list with duplicate reports. Ciolek summed up the operational pressure: "AI-assisted reports are increasingly real enough to matter, but numerous enough to overwhelm the people who have to validate and fix them."
Changing incentives: discovery versus remediation
Ciolek argued that the economics of bug bounties are shifting away from rewarding raw discovery. "Bug bounties were supposed to reward what was scarce," he said. "That used to be discovery. Today, finding plausible bugs is becoming much cheaper, and generating reports is easy to scale. The expensive part is still very human: someone has to verify impact, deduplicate reports, decide whether something really crosses a security boundary, coordinate disclosure, and get a safe fix shipped."
He warned that changing payout rules after the work is complete undermines predictability. "The trust issue here is that the change was effectively applied long after the work was already done, fixed, and publicly credited under a different expectation," Ciolek said. "Responsible disclosure depends on researchers believing the process is predictable. The rules should not change after the work is complete. Serious researchers will price that in as risk, or they will stop participating."
What this means for bug hunters, open-source maintainers, and program sponsors
- Bug hunters: Reduced and retroactively adjusted rewards may push hunters to "price that in as risk" or to stop participating in discovery-first bounties; several researchers described receiving delayed or reduced payments.
- Open-source maintainers and security teams: Projects face a rising volume of AI-assisted reports that are "real enough to matter" but also duplicate and overwhelm mailing lists and triage capacity, as Linus Torvalds and others described.
- Program sponsors and HackerOne: The company says IBB bounty levels "automatically adjust" based on participating sponsors' contributions and is pausing the program to "evaluate adjustments" intended to balance value for researchers, sponsors, and the open-source ecosystem.
The immediate facts are clear: payouts have been cut, the IBB is paused, and both maintainers and researchers say AI has changed the practical economics of discovery. What remains to be seen is whether a retooled IBB will restore predictable incentives and rebuild the trust that researchers say is essential to responsible disclosure.




