惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

云风的 BLOG
云风的 BLOG
Help Net Security
Help Net Security
Y
Y Combinator Blog
WordPress大学
WordPress大学
D
DataBreaches.Net
N
Netflix TechBlog - Medium
U
Unit 42
爱范儿
爱范儿
MyScale Blog
MyScale Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
博客园 - 司徒正美
Google DeepMind News
Google DeepMind News
D
Docker
H
Help Net Security
Stack Overflow Blog
Stack Overflow Blog
宝玉的分享
宝玉的分享
博客园_首页
Microsoft Security Blog
Microsoft Security Blog
Engineering at Meta
Engineering at Meta
Know Your Adversary
Know Your Adversary
P
Privacy & Cybersecurity Law Blog
P
Proofpoint News Feed
T
Tenable Blog
S
Schneier on Security
V
Vulnerabilities – Threatpost
V
V2EX
T
Tor Project blog
Security Latest
Security Latest
S
Securelist
G
Google Developers Blog
NISL@THU
NISL@THU
Schneier on Security
Schneier on Security
Webroot Blog
Webroot Blog
小众软件
小众软件
Google Online Security Blog
Google Online Security Blog
阮一峰的网络日志
阮一峰的网络日志
W
WeLiveSecurity
IT之家
IT之家
I
InfoQ
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
月光博客
月光博客
I
Intezer
T
The Blog of Author Tim Ferriss
C
Cisco Blogs
博客园 - 【当耐特】
The GitHub Blog
The GitHub Blog
Cloudbric
Cloudbric
Scott Helme
Scott Helme
The Cloudflare Blog
L
LINUX DO - 热门话题

The Register - Security

Are we human? MyPillow must decide whether to be firm or soft as ransomware crims demand pay Experts pour cold borscht on Farage's Russian hack claim AI eyes scanning for bugs create a worrisome Linux security trend A Russian speaker and jailbroken Gemini went on a hacking spree and emptied at least one MAGA victim's crypto wallets Techie claims Trump Mobile website was leaking thousands of people's data Dems slam Trump for making cybersecurity hold out the tin cup while splurging on ballroom and Jan. 6 'slush fund' Attackers spill plaintext passwords of 46k Myspace93 users after 2021 breach Microsoft open-sources agentic AI safety tools Are we human? America's top cyber-defense agency left a GitHub repo open with with passwords, keys, tokens – and incredibly obvious filenames America's top cyber-defense agency left a GitHub repo open with passwords, keys, tokens – and incredibly obvious filenames Shai-Hulud copycat worm infects yet another npm package MPs want social media treated more like unsafe toys than harmless apps Nobody believes the 'criminals and scumbags' who hacked Canvas really deleted stolen student data To gain root access, intruder just had to ask AWS patched Quick auth bypass, says customers weren't using control Disgruntled researcher releases two more Microsoft zero-days Malware crew TeamPCP open-sources its Shai-Hulud worm on GitHub Foxconn confirms cyberattack after ransomware crew claims it stole confidential Apple, Nvidia files US bank reports itself after slinging customer data at 'unauthorized AI app' Anthropic’s bug-hunting Mythos was greatest marketing stunt ever, says cURL creator Best Western Hotels confirms web app data breach Arctic Wolf cuts 250 jobs in AI push 1 in 8 workers say selling company logins is justifiable Iran cyberspies LARPing as ransomware crims in espionage ops UK age-gating plans risk breaking the internet, privacy groups warn India orders infosec red alert in case Mythos sparks crime 'CopyFail' attackers start cashing in on Linux flaw ShinyHunters claims dump puts 119K Vimeo emails in the wild ShinyHunters claims 119K Vimeo emails in the wild Singapore boffins get diverse SIEMs singing in harmony Shadow IT has given way to shadow AI. Enter AI-BOMs AI-BOMs replace SBOMs as way to track AI agents and bots Home Office adds £216M to travel doc contract before bids FBI: China's hacker-for-hire ecosystem 'out of control' UK business breach rate stuck at 43%... blame the phishing What type of 'C2 on a sleep cycle' do they leave behind? Novel Chinese spy group found in critical networks in Poland, Asia Chinese spy group caught lurking in Poland, Asia networks Critical cPanel, WHM flaw probs exploited as 0-day, pros say ORNL builds more sensitive GPS interference detector Microsoft patch fell short. New Windows flaw exploited Fooling large language models just keeps getting simpler Wiz hands GitHub AI-aided bug report that isn Don’t pay VECT a ransom - your big files are likely gone Pitney Bowes the latest victim of ShinyHunters’ breach-spree Ongoing supply-chain attack targets security, dev tools Medical and utility tech companies admit digital breakins Cybersecurity professional getting more work and less pay Crime crew impersonates help desk, abuses Teams chats ShinyHunters claim they have cruise giant Carnival’s booty CISA, NCSC issue Firestarter backdoor warning Intel expects AI inference to drive demand for its CPUs Open source models can find bugs as well as Mythos Researchers find sabotage malware that may predate Stuxnet Attackers could disable all of a city's public EV chargers Age checks could turn internet into an ID checkpoint, complains Proton CEO If malware via monitor cables is a matter of national security, this might be the gadget for you France's 'Secure' ID agency probes breach as crooks claim 19M records Scotland Yard can keep using live facial recognition on Londoners, say judges Nation-states want to cause harm, not just steal cash - stop handing your cyber defenses to the cheapest contractor Murder, she wrote: Ex-FBI chief wants some ransomware crims charged with homicide macOS ClickFix attacks deliver AppleScript stealers to snarf credentials, wallets Yet another ex-ransomware negotiator admits turning rogue after payoff from crimelords AI-assisted intruders pwned Vercel via OAuth abuse and a pilfered employee account Crook claims to leak 'video surveillance footage' of companies Met police trials snoop tech platform in push to cuff more London shoplifters Adaptavist Group breach spawns imposter emails as ransomware crew claims mega-haul Panasonic creates device-locked QR codes to speed facial biometric capture Iran claims US used backdoors to knock out networking equipment during war Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus Scot becomes second Scattered Spider-linked crook to plead guilty in US Just like phishing for gullible humans, prompt injecting AIs is here to stay Locked-out iPhone user tells The Reg that Apple is scrambling to fix character flaw passcode bug Git identity spoof fools Claude into giving bad code the nod McGraw Hill linked to 13.5M-record data leak Microsoft announces product it doesn't want anyone to buy Server-room lock was nothing but a crock Nobody knows how many CVEs Anthropic's Project Glasswing has actually found Autovista blames ransomware for service disruption French cops free mother and son after crypto kidnapping UK told its Big Tech habit is now a national security risk Commvault has a Ctrl+Z for rogue AI agents No honor among thieves as 0APT threatens rival ransomware gang Krybit Fake Linux leader using Slack to con devs into giving up their secrets Booking.com warns of possible reservation data exposure NHS pays £46K to prep next Microsoft licensing round China wants AI to prepare school lessons and mark homework Anthropic's Mythos has The Kettle crew curious, skeptical Two different attackers poisoned popular open source tools Hungary officials used weak passwords exposed in breach dump CPUID hijacked to serve malware as HWMonitor downloads Unpacking AI security 2026 from experimentation agentic era Microsoft locks out top open source devs, blames process NHS Scotland-linked domains push pr0n and illegal streams Iran cyber actors disrupting US water, energy facilities, FBI warns Russia's Fancy Bear still attacking routers to boost fake sites, NCSC warns AI agents found vulns in this Linux and Unix print server Don't glamorize cybercrims, roast them instead Trump wants to take a battle axe to CISA again and slash $707M from budget
HackerOne takes an axe to its bug bounty rewards
Jessica Lyons Jessica Lyons · 2026-05-22 · via The Register - Security

Security

Critical flaw payouts slashed by more than 75%

Finding vulns just doesn't pay like it used to. At least one bug hunter who found an open source security flaw and reported it months ago via HackerOne’s backlogged Internet Bug Bounty (IBB) program finally got paid for his work - but at a drastically reduced reward rate. 

The security researcher found a medium-severity vulnerability that previously paid $1,843. As of Monday, HackerOne’s IBB pays $297 for the same severity level.

Similarly, the new IBB cash prize for a critical vulnerability is $2,257, compared to the previous $9,250 reward. High-severity bugs now fetch $1,009, while they used to earn a $4,429 payout. And low-severity bugs earn researchers $68, compared to the previous $597 reward.

HackerOne’s IBB remains on a break, and is not accepting new submissions. “The IBB program is currently paused while we evaluate adjustments to the program that will maximize value to researchers, sponsors, and the open-source ecosystem,” a spokesperson told us. “We remain committed to strengthening open source security through ethical security research.”

When asked if AI-generated reports played a role in the pause and reduced reward amounts, a spokesperson didn’t give us a direct answer.

“The Internet Bug Bounty is a unique, dynamic program where bounty levels automatically adjust based on the contributions from active participating sponsors,” the HackerOne spokesperson said. “Payouts under this program are regularly adjusted accordingly, as provided in the IBB program description.”

Tale of two hackers

Back in January, The Register talked with hacker Jakub Ciolek, who told us he reported two denial-of-service bugs in Argo CD, a popular Kubernetes controller, via HackerOne’s IBB program last fall. 

Both were assigned CVEs and fixed. Ciolek expected to receive about $8,500 for the two flaws - but instead HackerOne ghosted him for months, finally sending him an email after The Register reached out to the bug bounty platform. 

HackerOne thanked him for his patience and said his bug reports remain "pending reward processing due to a temporary operational backlog."

Shortly after, we heard from another researcher in a similar situation. “I still hope to get some bounty some day for it,” the bug hunter told The Reg, noting that HackerOne set an end-of-March deadline to sort the backlog.

On Wednesday, this hacker told us he finally received a bounty announcement and payout from HackerOne, although at $297, it was less than expected, as the payout amounts changed after they submitted their report. “I am glad I finally got something,” they said.

Ciolek said he’s still waiting for any word from HackerOne, and told us repeatedly that this isn’t about the money. “The reduced payout is a symptom,” he said. “The economics of vulnerability reporting are changing very quickly.”

Until just a few months ago, project maintainers - and bug hunters themselves, Ciolek included - dismissed this as an AI-slop problem

Recently, however, as models have gotten exponentially better at writing code and exploits, open source projects can’t keep up with the pace of bug reports, which still require humans to evaluate them.

"Over the last few months, we have stopped getting AI slop security reports in the curl project,” Daniel Stenberg, founder and lead developer of curl, famously said in a social media post. "They're gone. Instead, we get an ever-increasing amount of really good security reports, almost all done with the help of AI."

Today, finding plausible bugs is becoming much cheaper, and generating reports is easy to scale. The expensive part is still very human: someone has to verify impact, deduplicate reports, decide whether something really crosses a security boundary, coordinate disclosure, and get a safe fix shipped.

Linux kernel maintainer Greg Kroah-Hartman also noted in an interview with The Register how AI-assisted bug reports contained less slop and more valid concerns. On Sunday, Linux kernel boss Linus Torvalds declared that the project’s security mailing list has become “almost entirely unmanageable” due to multiple researchers using AI to find bugs and then filling the list with duplicate reports.

“The recent Linux security mailing list situation is a clear signal: AI-assisted reports are increasingly real enough to matter, but numerous enough to overwhelm the people who have to validate and fix them,” Ciolek told us.

“Bug bounties were supposed to reward what was scarce,” he continued. “That used to be discovery. Today, finding plausible bugs is becoming much cheaper, and generating reports is easy to scale. The expensive part is still very human: someone has to verify impact, deduplicate reports, decide whether something really crosses a security boundary, coordinate disclosure, and get a safe fix shipped.”

While Ciolek says he’s sympathetic to changing economics, and overworked, underpaid open source project maintainers' capacity to investigate every serious-looking security report, the trust issue between researchers and bug bounty programs remains.

“The trust issue here is that the change was effectively applied long after the work was already done, fixed, and publicly credited under a different expectation,” Ciolek said. “Responsible disclosure depends on researchers believing the process is predictable. The rules should not change after the work is complete. Serious researchers will price that in as risk, or they will stop participating.”

Ciolek says he’s no longer actively doing bug bounty research - but will report serious issues as he finds them.

“With the current flood of findings, I don't want to add more volume unless I'm confident the issue is serious enough,” Ciolek said. “In this AI-assisted era, the valuable work is no longer just ‘I found another bug.’ It is ‘I verified this matters and helped get it fixed.’ I think the original discovery-first bug bounty model is becoming obsolete. The next model has to reward more of the remediation cycle, not only the finding.” ®