AI Powers Rapid Exploit Discovery, Outpacing Patch Response

Security researchers describe an escalating arms race in which both attackers and defenders use AI to scan codebases for vulnerabilities, a trend that is straining the programs built to manage bug reports. BleepingComputer reports that the curl project ended its bug bounty program in early 2026 after a flood of low-quality, AI-generated submissions, with the confirmed-vulnerability rate falling below 5% as maintainers spent more unpaid time triaging noise than fixing real flaws. SecurityWeek reports that Google overhauled its Vulnerability Reward Programs for Chrome and Android in response to AI-assisted discovery, raising top Android payouts (a persistent Titan M zero-click exploit now pays up to $1.5 million) while restructuring Chrome rewards toward higher-impact, harder-to-automate bug classes. Together the changes show maintainers and vendors redesigning incentives to separate high-value findings from automated noise as discovery-to-exploit timelines compress.
The shift
Generative AI now sits on both sides of vulnerability research. Defenders use it to scan and patch faster, while attackers use it to find and weaponize flaws, and a third effect has emerged: a deluge of automated, frequently low-quality bug reports that overwhelms the human systems built to review them.
Open-source strain
BleepingComputer reports that the curl project ended its long-running bug bounty in early 2026 after AI-generated submissions pushed its confirmed-vulnerability rate below 5%. The cost had shifted from payouts to triage, with maintainers spending unpaid hours rejecting reports that were never grounded in real software behavior. For small, volunteer-run projects that underpin much of the internet, that labor model does not scale.
Vendor response
SecurityWeek reports that Google restructured its Chrome and Android Vulnerability Reward Programs to refocus on the highest-impact bugs and on categories that are harder for automated tools to surface. Top Android rewards rose, with a persistent Titan M zero-click exploit now paying up to $1.5 million, while Chrome payouts were rebalanced.
Why it matters
For security teams, the practical takeaway is operational: triage pipelines, reward structures, and maintainer capacity all need redesign for a world where generating a plausible-looking bug report is nearly free. Separating genuine high-impact findings from automated noise is becoming a core security-operations problem.
Key Points
- 1AI-assisted scanners are compressing vulnerability discovery timelines while flooding intake channels with low-signal reports, forcing faster and more selective triage.
- 2curl's shutdown of its bug bounty shows how AI-generated 'slop' can make volunteer-run open-source security programs economically unsustainable.
- 3Google's VRP redesign signals a market-level response: pay more for high-impact, hard-to-automate findings and less for easily mass-produced reports.
Scoring Rationale
AI-driven automation is materially reshaping vulnerability economics, shortening time-to-exploit and overwhelming the triage and bug-bounty systems that security teams and open-source maintainers rely on. The concrete examples, curl ending its bounty and Google restructuring its reward programs, make this a notable, well-grounded operational signal rather than a single paradigm-shifting release.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems