A decade ago, bug bounties were a novelty; now they’re an arms race. With agentic AI identifying and creating exploits for vulnerabilities, the economics of bug hunting are shifting. Some researchers predict that tech giants can handle this pressure, but smaller companies may struggle as submissions increase.

The 90-day disclosure window, once built for rare finders, is now obsolete thanks to LLMs accelerating both bug finding and exploit development. Developers face increasing pressure to release patches quickly, potentially shortening these deadlines further.

Meanwhile, the threat landscape evolves. Google researchers have documented cybercriminals using AI tools to bypass two-factor authentication, highlighting how attackers are adapting. Nation-state actors remain a concern, but criminal groups pose the bulk of serious incidents, making zero-day vulnerabilities particularly dangerous when in their hands.

The quality of bug reports has also changed. Tools like Curl and Linux have seen an influx of low-quality submissions from AI, while others report improved, high-quality reports generated with AI assistance. This shift is forcing companies to adapt their bounty programs accordingly.