GitHub Cuts Cash Bounties for Low-Risk Bugs, Pushes Security Responsibility Back to Users

GitHub Overhauls Bug Bounty Program Amid AI-Fueled Report Flood

GitHub announced today it is replacing cash rewards with merchandise for low-severity bug submissions. The company also issued a blunt reminder that users must take responsibility for their own security.

The move comes as the platform sees a sharp increase in reports that lack real security impact, many generated by AI tools. GitHub senior security researcher Jarom Brown explained that not every valid submission represents a meaningful risk.

“Not every valid submission represents a meaningful security risk. Some reports identify hardening opportunities or documentation gaps,” Brown wrote in a blog post.

He also addressed reports describing out-of-scope scenarios where users interact with malicious content. “These reports are often well-written and technically accurate … but they misunderstand where the security boundary lies,” Brown wrote. The security boundary, he stressed, is the user’s decision to trust untrusted content.

Background

GitHub’s bug bounty program has been overwhelmed by a surge in submissions over the past year. The company attributes much of this to newer generative AI tools that automate vulnerability discovery.

Despite the flood, GitHub does not want researchers to stop using AI. “AI is a force multiplier, and we expect it to play an increasing role in security research,” Brown wrote. But he added that all AI-generated submissions must be reviewed and validated by a human first—a rule that applies to any tool used in bug hunting.

The company hopes to screen out reports without proof of concept, theoretical attack scenarios, and those covered by its published list of ineligible rewards. The goal is to focus analyst time on genuine threats.

AI-Generated Noise: An Industry Problem

GitHub is not alone. Security vendors, open-source maintainers, and bug bounty platforms across the industry have reported a rising tide of low-quality, AI-assisted reports. Analysts warn that this noise consumes time, slows incident response, and makes it harder to spot legitimate issues.

Notable examples include the open-source project Curl, which eliminated its bug bounty due to AI slop, and HackerOne, which paused payouts for certain submissions. GitHub’s move follows a broader trend of tightening bounty programs amid automation-driven volume.

What This Means

GitHub’s policy shift signals that users cannot rely solely on bounty hunters or platform safeguards. The company is clearly stating that protection against social engineering and malicious content lies partly with the user.

Researchers are reminded to focus on high-impact, in-scope vulnerabilities and to thoroughly validate any AI-generated submission. For everyday developers and enterprises, the message is equally clear: always exercise caution when cloning repos, running untrusted code, or opening suspicious files.

As AI tools become more prevalent, the boundary between platform security and user responsibility will likely continue to blur. GitHub’s revised bounty program is just one of many adaptations the industry will need to navigate.

This story is developing. Check back for updates.