https://hackerone.com/ibb/bounty_table_versions?change=2026-05-18T20%3A25%3A03.903Z&type=team
HackerOne has cut reward payments across its Internet Bug Bounty (IBB) program by more than 75 percent, reducing the payout for a critical vulnerability from $9,250 to $2,257, high-severity findings from $4,429 to $1,009, and medium-severity reports from $1,843 to $297. The IBB program, which funds rewards for vulnerabilities discovered in widely used open-source software, has also been paused and is not currently accepting new submissions while HackerOne evaluates adjustments to the program structure. The cuts have landed harshly on researchers who submitted reports under the previous reward schedule and are only now receiving payment. Among them a researcher who received $297 for a vulnerability they submitted months ago expecting the prior rate.
The timing of these changes reflects a structural shift in the economics of vulnerability research that has been accelerating rapidly. AI-assisted tooling has made the discovery of plausible security flaws significantly cheaper and faster, and the volume of reports flowing into open-source security programs has grown to the point where maintainers are struggling to process them. Linux kernel maintainers have described the project’s security mailing list as “almost entirely unmanageable” due to duplicate AI-assisted reports, while curl noted that the project had stopped receiving low-quality AI-generated submissions only to see them replaced by an ever-increasing volume of genuinely valid AI-assisted findings. The bottleneck has shifted from discovery to validation: finding a plausible bug is becoming commoditised, but the work of verifying impact, deduplicating reports, making patch decisions, and coordinating disclosure remains an irreducibly human and time-intensive process that open-source maintainers are not resourced to absorb at scale.
The deeper concern raised by this episode is not the reduced payout amounts themselves but what retroactive changes to reward structures signal about the reliability of the responsible disclosure process. Bug bounty programs function on the basis that researchers can make rational decisions about where to invest their time based on stated reward expectations, and that the rules governing those expectations will remain stable between the moment of submission and the moment of payment. If serious researchers cannot trust that the terms under which they reported a vulnerability will be honoured, they will either price that uncertainty into their participation or withdraw from structured programs entirely and choose less predictable disclosure paths.