惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

L
LINUX DO - 最新话题
C
Cyber Attacks, Cyber Crime and Cyber Security
G
GRAHAM CLULEY
T
Tenable Blog
T
Threatpost
C
CXSECURITY Database RSS Feed - CXSecurity.com
I
Intezer
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
D
Darknet – Hacking Tools, Hacker News & Cyber Security
K
Kaspersky official blog
Security Latest
Security Latest
P
Privacy & Cybersecurity Law Blog
Google Online Security Blog
Google Online Security Blog
SecWiki News
SecWiki News
P
Palo Alto Networks Blog
TaoSecurity Blog
TaoSecurity Blog
Webroot Blog
Webroot Blog
Spread Privacy
Spread Privacy
O
OpenAI News
The Last Watchdog
The Last Watchdog
P
Proofpoint News Feed
C
Check Point Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
人人都是产品经理
人人都是产品经理
S
Security @ Cisco Blogs
Scott Helme
Scott Helme
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
月光博客
月光博客
S
Securelist
酷 壳 – CoolShell
酷 壳 – CoolShell
V
V2EX
T
Troy Hunt's Blog
W
WeLiveSecurity
GbyAI
GbyAI
N
News | PayPal Newsroom
Y
Y Combinator Blog
C
Cisco Blogs
H
Help Net Security
The GitHub Blog
The GitHub Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
博客园 - 【当耐特】
Jina AI
Jina AI
MongoDB | Blog
MongoDB | Blog
P
Proofpoint News Feed
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
云风的 BLOG
云风的 BLOG
小众软件
小众软件
N
News and Events Feed by Topic

Hacker News - Newest: "LLM"

GitHub - lechmazur/position_bias: A benchmark for testing whether LLM judges keep the same preference when two lightly edited versions of the same story are shown in opposite orders. Flex routing (EU and EFTA) Dark Factories: Retooling for LLM Velocity Ask HN: What would be the impact of a LLM output injection attack? GitHub - AronDaron/dataset-generator: No-code desktop app for generating high-quality synthetic datasets to fine-tune LLMs — plan-then-execute pipeline, LLM-as-judge, HuggingFace upload. I thought I had a bug GitHub - Oaklight/llm-rosetta: Production-ready LLM API translation layer for Python — bidirectional conversion between OpenAI, Anthropic & Google formats via hub-and-spoke IR. Optional API gateway. Streaming & non-streaming. Zero core deps. Contributions welcome! GitHub - browser-use/browser-harness: Self-healing browser harness that enables LLMs to complete any task. GitHub - moeen-mahmud/remen: Remen turns thoughts into something you can return to Analyzing 156 LLM Launch Posts on Hacker News ChatGPT vs Gemini vs Claude: The Best LLM Subscription You Should Buy GitHub - salaamalykum/quran-semantic-search: High-density RAG Semantic Search Engine & Quran Corpus (GEO/SEO Architecture) GitHub - NVIDIA/TensorRT-LLM: TensorRT LLM provides users with an easy-to-use Python API to define Large Language Models (LLMs) and supports state-of-the-art optimizations to perform inference efficiently on NVIDIA GPUs. TensorRT LLM also contains components to create Python and C++ runtimes that orchestrate the inference execution in a performant way. Operational Readiness Criteria for Tool-Using LLM Agents Meshcore: Architecture for a Decentralized P2P LLM Inference Network How an LLM becomes more coherent as we train it GitHub - seetrex-ai/laimark GitHub - Jossifresben/BibCrit: AI-assited biblical textual criticism GitHub - wastedcode/memex: File system based wiki, maintained by Claude 99helpers.com GitHub - cliver-project/AITrigram GitHub - unbody-io/adapt: A self-evolving memory layer for AI agents. GitHub - hb20007/awesome-gen-ai-fails: A list of incidents where reliance on generative AI and LLMs resulted in harm to companies, individuals, or society GitHub - nevenkordic/localmind: Run any local LLM with persistent memory and context. CLI agent over Ollama with SQLite-backed hybrid recall. No cloud. Ask HN: What are the machine requirements for a LLM like Llama-3.1-8B? Faster LLM Inference via Sequential Monte Carlo grpo explained: group relative policy optimization for llm finetuning - cgft Stop comparing price per million tokens: the hidden LLM API costs · TensorZero Andrej Karpathy's LLM Wiki Is a Bad Idea GitHub - GG-QandV/mnemostroma: Offline RAM-first cognitive leer/coprocessor for AI agents and robotics. Solves "Context Abandonment" with 20-80ms latency using a dual-thread biomimetic memory architecture (ONNX + SQLite WAL). mempalace/agent at agent · skorotkiewicz/mempalace GitHub - Nyquest-ai/nyquest-rust-fullstack-pub: Nyquest — Semantic Compression Proxy for LLMs. 350+ rules, local LLM stage, 15-75% token savings. Full Rust stack. GitHub - TheoV823/mneme: Enforce architectural decisions in AI-assisted development. GitHub - klemenvod/TokenBrawl: A 1v1 Bomberman-style game where two LLM agents play autonomously against each other. No human plays — you watch the AIs fight. Each agent receives a text description of the board state, reasons about it, and outputs a move as JSON. The game engine executes it. Introducing the Common AI Provider: LLM and AI Agent Support for Apache Airflow Power Circuit AI: Designing Power Electronic Circuits for Motor Drives with Generative Artificial Intelligence Ask HN: How to program with IDE and LLM on CPU locally? Show HN: Agent-cache – Multi-tier LLM/tool/session caching for Valkey and Redis Bonsai 1-bit WebGPU - a Hugging Face Space by webml-community The LLM Fallacy: Misattribution in AI-Assisted Cognitive Workflows Ask HN: Simple tooling for local LLM code critique without IDE integration? Can a General LLM Diagnose a DICOM Slice? A 10-Case Public Benchmark Charts-of-Thought: Enhancing LLM Visualization Literacy (PDF, 2026) GitHub - Mesh-LLM/mesh-llm: Distributed AI/LLM for the people. Share compute privately or publicly to power your agents and chat. GitHub - seamus-brady/springdrift: A persistent runtime for long-lived LLM agents Writing an LLM from scratch, part 32k -- Interventions: training a better model locally with gradient accumulation Ask HN: Which LLM model and agentic CLI are you using for local development? GitHub - wayneColt/modelcascade: Route local. Escalate smart. Never overspend. Open-source multi-model cascade routing for autonomous agents. LLM pricing is 100x harder than you think GitHub - asakin/llm-primer: Pre-warmed Claude Code sessions in tmux. No startup wait. GitHub - EggerMarc/chat-rs: A multi-provider LLM framework for Rust. GitHub - SynapseKit/SynapseKit: Minimal, async-first Python framework for production LLM apps- 2 hard deps, no magic, no SaaS. A Claude Skill that Makes LLM Paragraphs More Bearable Does Gas Town 'steal' usage from users' LLM credits & paid services to improve itself? What's Claude Code Actually Doing? Open the Black Box with the Arthur Engine Milla Jovovich's New Open Source LLM Memory App and the Dark Code Problem Your intuition of LLM token usage might be wrong Show HN: Bloomberg Terminal for LLM ops – free and open source GitHub - 0xchamin/mcptube: Transform YouTube videos into a compounding knowledge base with transcripts, vision analysis, and agentic search. Works as an MCP server for Claude, Copilot & more. Show HN: Open KB: Open LLM Knowledge Base Your LLM is a compiler, not a runtime GitHub - sapountzis/Unslop: A Web Feed That Deserves You crates.io: Rust Package Registry Beyond Karpathy's LLM-Wiki: The Necessity of Cognitive Governance GitHub - amitshekhariitbhu/llm-internals: Learn LLM internals step by step - from tokenization to attention to inference optimization. GitHub - parallem-ai/parallem: An expressive library for running agents with the Batch API. GitHub - stfurkan/pi-llm LLM-Wiki Show HN: Formal – Formal verification for AI-generated code using Lean 4 LRTS – Regression testing for LLM prompts (open source, local-first) LLM Wiki Skill: Build a Second Brain with Claude Code and Obsidian I built an LLM Wiki and RAG solution: here's a demo for a security KB The biggest advance in AI since the LLM Predict-Rlm: The LLM Runtime That Lets Models Write Their Own Control Flow the-synthetic-library/the-synthetic-mind at main · joshferrer1/the-synthetic-library GitHub - yisding/reviewwiggum GitHub - Donnyb369/mcp-spine: Context Minifier & State Guard — Local-first MCP middleware proxy GitHub - Beledarian/wgpu-llm: A from-scratch LLM inference engine that uses wgpu (the cross-platform WebGPU implementation) to dispatch WGSL compute shaders for every math operation a Transformer needs. No CUDA. No Python. No massive framework dependencies. Just Rust, raw shaders, and your GPU. GitHub - anitiue/Hindsight: An experience-driven self-improvement framework for LLM agents — 基于经验的 LLM Agent 自我改进框架 GitHub - stef41/lmscan: 🔍 Detect AI-generated text and fingerprint which LLM wrote it. Open-source GPTZero alternative. Zero dependencies, works offline. GitHub - alainnothere/AmdPerformanceTesting: Amd Performance Testing Ask HN: Is a purely Markdown-based CRM a terrible idea? Optimized for LLM agents Context Engineering - LLM Memory and Retrieval for AI Agents | Weaviate little_helper_tui/letter.md at main · sleepyeldrazi/little_helper_tui GitHub - EvanZhouDev/umr: The Unified Model Registry for all your local AI apps. GitHub - JordanCT/VigIA-Orchestrator Your Agent Is Mine: Measuring Malicious Intermediary Attacks on the LLM Supply Chain A Taxonomy of RL Environments for LLM Agents Llama LLM Network Feture GitHub - genedeng-ca/ai-mac-migration: AI-powered Mac-to-Mac migration tool - replace Apple Migration Assistant with intelligent, selective transfer using local LLMs GitHub - lunargate-ai/gateway: High-performance self-hosted AI gateway (OpenAI-compatible) with routing, retries, and streaming GitHub - AuthBits/webmcp: A lightweight, prompt-driven MCP web research server for high-quality LLM powered information extraction. Externalization in LLM Agents: A Unified Review of Memory, Skills, Protocols and Harness Engineering Springdrift: An Auditable Persistent Runtime for LLM Agents with Case-Based Memory, Normative Safety, and Ambient Self-Perception High-Stakes Personalization: Rethinking LLM Customization for Individual Investor Decision-Making From Static Templates to Dynamic Runtime Graphs: A Survey of Workflow Optimization for LLM Agents HUOZIIME: An On-Device LLM-enhanced Input Method for Deep Personalization TIDE: Token-Informed Depth Execution for Per-Token Early Exit in LLM Inference Characterizing WebGPU Dispatch Overhead for LLM Inference Across Four GPU Vendors, Three Backends, and Three Browsers LLM Targeted Underperformance Disproportionately Impacts Vulnerable Users
The State of LLM Bug Bounties in 2026
Anthony D'Onofrio · 2026-04-19 · via Hacker News - Newest: "LLM"
← /learn

Reference

12 min read·By Anthony D'Onofrio·Updated 2026-04-19

A practitioner's guide to where LLM bug bounties actually pay in 2026 — program-by-program scope comparison, typical payouts, which classes of AI bugs get rewarded versus closed as 'known limitation,' and how to pick a scope that fits how you hunt.

If you hunt for a living, the question you want answered is not "does prompt injection exist?" — you know it does — but "which programs pay for what, and how much?" The bug bounty landscape for LLM-specific vulnerabilities has matured fast over the last eighteen months, but the published information about it is scattered across dozens of program pages, policy revisions, and disclosed reports. Nobody has pulled it into a single comparative view.

This is that view. I've combed through every major program I could find that either explicitly scopes AI vulnerabilities or has paid for them in public disclosures, and summarized the state of play: what's in scope, what's out of scope, what the median payout actually looks like versus the advertised ceiling, and where the gaps are if you're trying to pick a program to focus on.

I'll flag my biases up front. I run Wraith, an AI-security platform that includes a hands-on academy and a pentesting certification for this exact discipline, so I care about hunters succeeding in this space — it validates the category. I've also reported vulnerabilities into several of these programs myself. Where I have direct experience, I'll note it.

The short version

  1. Anthropic, OpenAI, and Google run the three largest and most mature AI-specific bounty programs. All three explicitly scope model and product vulnerabilities, and all three have paid five-figure bounties for serious finds. They're also the strictest about what counts — a lot of "prompt injection" submissions get closed.
  2. HackerOne and Bugcrowd host a fast-growing long tail of AI-adjacent programs — SaaS products that have bolted AI features onto existing surfaces. These programs often don't know how to triage LLM-specific bugs, which is both an opportunity (novel finds, lower competition) and a frustration (reports closed as informational because the triager doesn't understand the impact).
  3. The biggest gap in 2026 is indirect prompt injection scope. Most programs nominally accept it; in practice, triage consistently under-rates it, especially when the impact requires a multi-step chain. This is the single most important thing to get right when writing your report.
  4. Median payouts are lower than the advertised maximums suggest. Headline numbers of $15k-$50k refer to critical findings against core infrastructure. The median real-world AI bug payout in 2026 is closer to $500-$2,500, with premium payouts concentrated at a few specific high-impact categories (tool abuse that reaches infrastructure, cross-tenant data exfiltration, anything that bypasses paid features).

Read on for the program-by-program breakdown, or jump to picking a program that fits how you hunt if you already know the landscape and want tactical advice.

Program-by-program breakdown

Anthropic's Model Safety Bug Bounty

Anthropic has run AI safety bounty programs since 2023 and moved to a permanent program in late 2024, hosted through HackerOne. Scope covers both the Claude models and the surrounding product surface (Claude.ai, the API, Claude Projects, etc.).

What's in scope:

  • Universal jailbreaks — prompt patterns that reliably bypass safety training across multiple high-stakes refusal categories
  • Classifier bypasses for deployed safety systems (especially the constitutional classifiers research)
  • Product-level vulnerabilities: authentication, data isolation between workspaces, billing integrity
  • Tool-use-related vulnerabilities in the Claude API and the Computer Use beta

What's out of scope (explicitly or in practice):

  • "Single-domain" jailbreaks — getting Claude to produce one kind of refused content in one kind of framing. Scope requires breadth.
  • Hallucination-based misinformation unless it has a clear exploitation path
  • Model denial-of-service via long inputs (out-of-scope as expected behavior under rate limits)

Typical payouts:

  • Headline: up to $20,000+ for critical universal jailbreaks
  • Realistic middle-band: $1,500-$5,000 for solid partial bypasses, novel classifier evasion techniques, or product-level AuthZ bugs
  • Lower band: $300-$1,000 for narrower findings that are still novel

My read: Anthropic's program is one of the highest signal in the space. Triage is technically strong and responses are fast by bounty-program standards. The bar for "universal jailbreak" is genuinely high — they're not paying out for single-turn "DAN"-style prompts — but the payouts when you hit it are competitive with top conventional programs. Best fit for hunters who can invest multi-day effort per finding.

OpenAI's Bug Bounty Program

Hosted through Bugcrowd. The program scope expanded substantially in 2024 to explicitly cover model safety alongside the traditional product surface (ChatGPT, the API, the Custom GPT ecosystem, plugins in their various incarnations).

What's in scope:

  • Authentication / AuthZ across ChatGPT accounts, teams, and enterprises
  • Custom GPT exploits — actions abuse, system prompt extraction from third-party GPTs (with the GPT creator's inclusion), plugin-related scope escapes
  • Model and feature vulnerabilities that affect confidentiality or integrity of user data
  • Specific vulnerability classes in their published scope document (updated quarterly)

What's out of scope (explicitly or in practice):

  • Prompt injection "in general" — OpenAI's policy has historically been that prompt injection against the base model is a known limitation, not a payable bug. What is payable is prompt injection that achieves a specific further impact (data exfiltration, privilege escalation, cross-user effects).
  • Jailbreaks for content policy — you can't get paid for making ChatGPT say a bad word.
  • Hallucinations, including harmful ones, unless they lead to further exploitation.

Typical payouts:

  • Headline: up to $20,000 for critical product vulnerabilities
  • Realistic middle-band: $500-$3,000 for solid AuthZ bugs in the Custom GPT ecosystem or the API
  • Lower band: $200-$500 for smaller findings

My read: OpenAI's program rewards you for chaining prompt injection into concrete further impact. "I can make ChatGPT say X" is closed; "I can make a third-party Custom GPT reveal its uploaded knowledge files, containing data the creator didn't intend to share" is paid. Report framing is disproportionately important here.

Google's AI Bug Bounty (VRP expansion)

Google's Vulnerability Reward Program expanded in 2023 to cover generative AI specifically, and the scope has been refined several times since. Covers Gemini (the consumer product and the API), AI features bolted onto Workspace (Gmail, Docs, Drive), and Google's various AI-powered research interfaces.

What's in scope:

  • Indirect prompt injection against AI-powered Workspace features (Gemini in Gmail reading adversarial email content, Gemini in Docs processing adversarial document content)
  • Cross-account data exfiltration via AI features
  • Prompt injection that leads to exfiltration of conversation history, uploaded files, or Workspace content
  • Model and training-data extraction attacks with measurable confidentiality impact

What's out of scope:

  • Content policy violations / jailbreaks that don't have a confidentiality or integrity impact
  • Hallucinations
  • "Purely theoretical" prompt injection without a demonstrated exploitation path

Typical payouts:

  • Headline: up to $31,337 for severe OAuth/AuthZ issues and anything affecting large user bases
  • AI-specific headline: multi-thousand-dollar payouts reported publicly for indirect prompt injection into Workspace features
  • Realistic middle band: $500-$3,000

My read: Google's program has the most interesting attack surface for hunters in 2026. Gemini-in-Workspace is a sprawling indirect-injection playground: any tool that reads email content, documents, or third-party data becomes a potential target. The public disclosed reports (Johann Rehberger has published several) are required reading for anyone planning to hunt here.

Meta's AI Bug Bounty

Meta's program, hosted through HackerOne, covers the Meta AI product surface, the Llama ecosystem, and AI features across Facebook, Instagram, and WhatsApp.

What's in scope:

  • Privacy and integrity bugs in Meta AI
  • Cross-conversation data leakage
  • AI-feature abuse that leads to account or data compromise on the host platforms
  • Llama model distribution and fine-tuning infrastructure vulnerabilities

Typical payouts: Meta's payouts skew lower for AI-specific issues than for their core social-graph and platform bugs. Expect $500-$2,000 for solid AI findings; escalation is possible for issues with broad user impact.

My read: Less mature program for AI specifically than the three above, but the surface is huge and under-tested relative to the attention the Big Three get.

Microsoft's AI Bug Bounty

Microsoft runs AI bounties through the standard Microsoft Security Response Center channel, with dedicated scope for Copilot across its many surfaces (GitHub Copilot, Microsoft 365 Copilot, Windows Copilot, etc.), Azure AI services, and Bing Chat.

What's in scope:

  • Cross-tenant data leakage in Microsoft 365 Copilot — high-value given enterprise deployment
  • Indirect prompt injection against Copilot features
  • Escalation of privilege via Copilot tool use
  • Azure AI service vulnerabilities (model endpoints, fine-tuning data handling)

Typical payouts: Microsoft's standard tiers apply. Critical Copilot vulnerabilities can reach $30,000+; realistic median is $500-$3,000.

My read: The cross-tenant angle in M365 Copilot is particularly interesting. Enterprise deployments are sensitive to any cross-customer data leakage, and Copilot's access to OneDrive, SharePoint, and Exchange content per tenant creates a wide attack surface for scope-related bugs.

HackerOne's AI / GenAI category programs

The long tail. Hundreds of SaaS products have enrolled on HackerOne with AI-bolted features in scope. These include design tools, writing assistants, code assistants, and customer-support products.

In-scope patterns (varies widely by program):

  • Prompt injection that leads to account takeover, privilege escalation, or data exfiltration
  • System prompt extraction where the prompt contains customer-specific or sensitive information
  • Tool abuse that reaches infrastructure

Typical payouts: $100-$2,000 for most findings. A few well-funded programs pay higher.

My read: This is where most hunters will actually spend their time. The upside: less competition than the Big Three, novel products with less-tested AI integrations, and often a gentle ramp-up for hunters new to AI bugs. The downside: triage quality varies wildly. A program that paid for prompt injection yesterday might close the same class of bug tomorrow because a new triager doesn't understand the impact. Report framing is the difference between getting paid and getting closed.

Bugcrowd's AI programs

Similar long-tail dynamics to HackerOne, with a slightly different program mix. OpenAI and a handful of AI-native startups run on Bugcrowd rather than HackerOne.

My read: Worth watching, especially for AI-native startups whose programs are less crowded than Anthropic/OpenAI/Google. Payouts are similar to HackerOne mid-band.

Direct-to-vendor programs

A growing number of AI-native companies run private or direct bounty programs outside HackerOne/Bugcrowd. Examples in 2026 include several vector-DB vendors, prompt-management SaaS companies, and AI observability platforms.

My read: Historically these have less competition and faster triage. They also pay less on average, but the bar for "valid" is often lower because the product team is small and appreciative of external testing. Good for hunters building initial CV credibility.

Which attack classes actually pay

A lot of hunters get frustrated because they submit "prompt injection" findings and watch them close as "informational." The root cause, almost always, is that the report didn't demonstrate impact beyond the injection itself. Here's my read on which attack classes convert to payouts in 2026, ranked roughly by consistent reward:

  1. Tool abuse leading to SSRF, RCE, or infrastructure access. The highest-paying class. If prompt injection lets you make the agent fetch http://169.254.169.254/latest/meta-data/ and return the result, you're not writing a prompt injection report — you're writing an SSRF report with a prompt injection as the entry vector. Frame accordingly.
  2. Cross-tenant or cross-user data exfiltration. Gemini-in-Workspace, M365 Copilot, any multi-tenant AI SaaS product. These reports pay because the impact is concrete and enterprise-visible.
  3. System prompt extraction where the prompt contains secrets. API keys, internal URLs, partner names. Not the prompt itself — the embedded secrets are what makes it payable.
  4. Indirect prompt injection against AI-powered features that read third-party content. Email readers, document summarizers, browsing agents. The attacker-never-speaks-to-the-AI angle is what sells the severity.
  5. Cross-session data leakage. Memory systems, "long-term context" features, conversation persistence bugs. Often a scope-filter bug at heart, which makes them legible to triage.
  6. Paid-feature bypasses via prompt manipulation. Getting a free-tier user to trigger paid-tier functionality. Some programs treat this as business-impact, some as out-of-scope.
  7. Universal jailbreaks with policy-relevant impact. Mostly relevant at Anthropic, OpenAI, and Google. The bar is high but the payouts can be top-of-band.
  8. Output-handling bugs (XSS, SQLi, command injection via LLM output). Payable but often as conventional bugs, not AI bugs. Scope them accordingly.
  9. Hallucination with an attacker-controlled angle. Payable in narrow cases — the canonical one being a model that reliably invents a package name, which an attacker then registers. Most "hallucination" reports close as informational.
  10. Direct jailbreaks without further impact. Usually out of scope in 2026. Don't spend your time here.

Picking a program that fits how you hunt

The right starting program depends on what kind of hunting you like:

  • If you like deep technical research with long time horizons: Anthropic and OpenAI. Expect multi-day investments per report, high bar to get paid, top-tier payouts when you land one.
  • If you like breadth and quick iteration: Google Workspace AI features and Microsoft Copilot. Wide surface, lots of indirect-injection permutations to try, medium payouts but more frequent wins.
  • If you're new to AI hunting and want to build credibility: HackerOne's AI long tail. Lower bar to first payout, more forgiving programs, but invest heavily in report framing.
  • If you already hunt web vulns and want to transfer skills: Look for AI-bolted SaaS products on HackerOne and Bugcrowd. Your existing instincts for AuthZ, IDOR, and SSRF translate directly — the AI layer is often just a new entry vector to the same old bugs.

What's missing from the landscape

A few gaps stand out to me, and I expect them to close over the next 12-24 months:

  • There is no generalized AI bug bounty program. You can't pick a random consumer AI product and assume it has a bounty program. Most enterprises with AI-bolted products lag 1-2 years behind their conventional security posture on establishing AI-specific scope.
  • Triage expertise is the bottleneck, not bug count. The reason reports close as informational is that the triager doesn't understand prompt injection's exploitation model. As the discipline matures, expect more specialized AI triagers at the top programs.
  • Agentic AI bounties are underpriced. Full-kill-chain attacks where an AI agent is the initial access vector are real but bounty scope rarely covers the conventional side of the chain. This is one of the reasons I'm building the WCRO cert track longer-term — the intersection matters.

How to get started this week

If you've read this far and are thinking about actually hunting, here's the shortest path I can give you:

  1. Read Prompt Injection: A Complete Guide for 2026 and System Prompt Extraction: Techniques and Defenses. Both are long-form attack taxonomies.
  2. Walk through the OWASP Top 10 for LLM Applications, annotated. Map each category to one attack class you can execute.
  3. Spend a weekend on the Wraith Academy — six hands-on modules covering the core offensive disciplines. You'll know the attack surface cold by the end.
  4. Pick one program from the list above that fits how you hunt. Spend a week on reconnaissance before you file your first report. Understand the product, the scope, and recent disclosed reports on the program.
  5. When you find something: write the report like a pentest finding, not a forum post. Root cause, reproduction steps, concrete impact, remediation suggestion. The difference between a $500 bug and a $2,500 bug is often framing, not severity.

Good hunting.

Practice these techniques hands-on

14 free challenges teaching prompt injection, system prompt extraction, data exfiltration, and more.

Enter the Academy →