RSS

The bug bounty market is bifurcating: notes from finding 7 CVEs for $96

boundary_check1 pts0 comments

7 CVEs, $96, and the Market That Stopped Paying

Alex's Substack

SubscribeSign in

7 CVEs, $96, and the Market That Stopped Paying<br>In my last post I told you a land surveyor found real vulnerabilities without writing code. This is the part about what happened to the market while I was finding them.

Alex<br>May 27, 2026

Share

In my last post, I told you a land surveyor found real vulnerabilities without writing code. This is the part about what happened to the market while I was finding them.<br>In January 2026, Daniel Stenberg shut down the curl bug bounty program. He’d run it for six years, paid out over $100,000, and confirmed 87 real vulnerabilities. By the time he killed it, AI-generated reports had cratered the valid submission rate from above 1:6 to below 1:20.<br>A month earlier, I had just begun my first vulnerability reports and over the next five months my system would produce 166 findings, 74 submissions across six platforms, and 7 CVEs in the National Vulnerability Database. Total bounty revenue: $96.<br>For some of the plugins I reported, the maintainers fixed the vulnerability before a triager ever opened my report. The bug was real, they patched it, and nobody read what I sent. This is not a story about me being bad at this, but a reflection of a market that can no longer process what it’s receiving.<br>The Convergence

This wasn’t one thing breaking. It was everything breaking at once.<br>January 2026. Stenberg pulled the plug on curl’s bounty program. His farewell post is worth reading in full. The short version: AI-generated submissions had become a denial-of-service attack on his mental health.<br>“The never-ending slop submissions take a serious mental toll to manage and sometimes also a long time to debunk. Time and energy that is completely wasted while also hampering our will to live.” — Daniel Stenberg, daniel.haxx.se

He described three converging trends: “the mind-numbing AI slop, humans doing worse than ever, and the apparent will to poke holes rather than to help.” By the program’s final months, pure AI-generated submissions were flooding in at volume and none of them were finding real bugs.<br>March 2026. HackerOne paused the Internet Bug Bounty. The foundational program for open-source security, running since 2012, over $1.5 million paid to researchers. Their reasoning inverted the entire premise of bug bounty economics: discovery used to be the bottleneck, but with automated discovery, remediation is the bottleneck, and bounties don’t fund remediation.<br>Two months later they slashed payouts across the board. Critical bounties dropped 75.6%. Medium dropped 83.9%. Low dropped 88.6%.<br>March 2026. Bugcrowd reported submission queues had increased over 334% in three weeks. They coined a term for what was happening: "sloptimism". Overly optimistic submissions driven by AI-generated reports submitted with minimal validation. They identified sock puppet accounts from security organizations using triage outcomes as reinforcement learning signals. The platforms weren’t just drowning in AI output. They were being used as free training data.<br>April 2026. Nextcloud ended payouts entirely. Their engineering team was spending an order of magnitude more time processing reports, and the overwhelming majority were redundant, invalid, or generated nonsense.<br>Anthropic announced Project Glasswing, deploying a restricted model called Claude Mythos through a coalition of roughly fifty security partners including AWS, Apple, Google, Microsoft, and CrowdStrike. By May, Glasswing had found over ten thousand high- or critical-severity zero-days across every major operating system and browser. A 17-year-old FreeBSD remote root exploit. Over twenty Firefox CVEs from earlier work by Anthropic's Frontier Red Team with Opus. Of the 530 high- or critical-severity bugs reported to maintainers, only 75 had been patched.<br>“Several maintainers have told us they’re currently severely capacity constrained, and some have even asked us to slow down the rate of our disclosures because they need more time to design patches.” — Anthropic, Project Glasswing: An initial update

Developers weren't thrilled. Jacob Aron at New Scientist put it plainly: "Anthropic's solution to the problem it has created is 'idk guys, work harder I guess.'"<br>The market was being eaten from both ends. AI slop from below and AI capability from above with Mythos finding vulnerabilities faster than the entire open-source ecosystem can patch them. The space where individual researchers find real bugs and get paid for it was compressing to nothing.

What My Numbers Look Like Inside That

I described the system I built in my last post. Nine agents, 8-stage pipeline, 150+ lessons in institutional memory. Here's what it produced and what happened to each finding.<br>Seven CVEs got assigned.

The two published CVEs are viewable on the Wordfence Intelligence researcher profile for “at1as.” Four are still under responsible disclosure preventing me from naming the targets until...

from market cves bounty finding real

Related Articles

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries

SpaceX not the behemoth everyone thought

kaycebasques13 pts_blockquote instagram data vars text media

The Mirror Is Part of the Machine

london_safari10 ptstelemetry mirror decision logs enough time
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.