HackerOne Cuts Internet Bug Bounty Payouts by Over 75 percent Amid AI‑Driven Reporting Surge
#Security

HackerOne Cuts Internet Bug Bounty Payouts by Over 75 percent Amid AI‑Driven Reporting Surge

Regulation Reporter
4 min read

HackerOne announced a pause to its Internet Bug Bounty (IBB) program and reduced reward tiers by up to 75 percent. The change follows an influx of AI‑assisted vulnerability reports that strain open‑source maintainers. Researchers warn the retroactive payout cuts threaten trust in bug‑bounty economics and call for a new model that rewards verification and remediation, not just discovery.

HackerOne Cuts Internet Bug Bounty Payouts by Over 75 percent

Featured image

Regulatory action → What it requires → Compliance timeline

Regulatory context – While not a statutory regulation, HackerOne’s public statements function as a de‑facto policy amendment that affects all participants in its Internet Bug Bounty (IBB) program. The company has announced a temporary suspension of new submissions and a re‑pricing of bounty tiers that will remain in effect until the program’s next formal review, slated for Q4 2026.

What the change requires

  1. Reduced payout levels – Effective 22 May 2026, the IBB reward schedule is:

    • Critical severity: $2,257 (down from $9,250)
    • High severity: $1,009 (down from $4,429)
    • Medium severity: $297 (down from $1,843)
    • Low severity: $68 (down from $597)

  2. Program pause – No new vulnerability reports will be accepted while HackerOne evaluates adjustments. Existing reports remain in the backlog and will be processed under the new payout schedule.

  3. Transparency obligations – HackerOne has committed to publishing a revised IBB Program Description that outlines the dynamic bounty‑adjustment algorithm. The updated document must be posted on the HackerOne website no later than 30 June 2026.

  4. Researcher notification – All researchers with pending reports must receive a written notice of the revised payout before any payment is issued. The notice must include:

    • Original submission date
    • Original severity rating
    • New payout amount
    • Reason for the adjustment (e.g., “dynamic sponsor contribution model”)

  5. Sponsor contribution audit – Sponsors who fund the IBB program must provide quarterly statements showing their financial contributions. These statements will be used to justify the dynamic scaling of bounty amounts.

Compliance timeline

Date Milestone
22 May 2026 New payout schedule takes effect; program pause begins
30 June 2026 Updated IBB Program Description published
15 July 2026 Researchers with pending reports receive adjustment notices
31 July 2026 First batch of adjusted payouts processed
Q4 2026 Formal review of IBB program concludes; potential re‑opening of submissions

Why the change matters

HackerOne cites an “ever‑increasing volume of AI‑assisted security reports” as the primary driver. Projects such as the Linux kernel and curl have reported that AI tools now generate high‑quality vulnerability disclosures at scale, overwhelming maintainers who must still perform manual verification, deduplication, and coordinated disclosure. The cost of human triage has therefore risen relative to the cost of automated discovery, prompting the platform to recalibrate incentives.

Impact on researchers

  • Economic risk – Researchers who submitted reports under the old schedule now face a 75 percent reduction in expected compensation. This retroactive change challenges the principle of predictable remuneration that underpins responsible disclosure.
  • Trust erosion – As Jakub Ciolek (who reported two Argo CD DoS bugs) noted, “the rules should not change after the work is complete.” The perception that bounty levels can be altered post‑submission may deter skilled hunters from participating in open‑source programs.
  • Shift in focus – Experts suggest that future bounty models should reward verification, impact analysis, and remediation assistance, not merely the act of finding a flaw. This aligns incentives with the most labor‑intensive part of the security lifecycle.

Impact on open‑source maintainers

  • Reduced noise – Lower payouts may discourage low‑effort or duplicate submissions, easing the burden on maintainers.
  • Funding pressure – Sponsors must now allocate more resources to cover the human cost of triage, potentially increasing the overall program budget despite lower per‑bug payouts.

Next steps for stakeholders

  • Researchers should review the updated IBB Program Description once published and adjust expectations for future submissions. Those with pending reports must track the July 15 notice deadline to ensure they receive the correct payout information.
  • Sponsors need to prepare quarterly financial statements and be ready to justify their contribution levels, as these figures directly influence the dynamic bounty algorithm.
  • Open‑source project maintainers are encouraged to engage with HackerOne’s upcoming advisory board, which will discuss remediation‑focused bounty structures.
  • Regulators monitoring bug‑bounty ecosystems may consider whether dynamic payout models meet consumer‑protection standards, especially regarding retroactive changes.

The situation remains fluid. HackerOne has pledged to “maximize value to researchers, sponsors, and the open‑source ecosystem,” but the final shape of the IBB program will depend on the outcomes of the Q4 2026 review.

#bug bounty#AI#Open Source#HackerOne#payouts

Comments

Loading comments...
Back to Home