COMMENTARY: Let’s be honest about the strategic choice that led to the rise of bug bounty platforms. As development accelerated, so did the threat landscape. Internal security teams were stretched thin, and traditional point-in-time pentests offered only a snapshot.
Companies needed a way to test continuously and with a greater diversity of skills. They turned to crowdsourced security, actively inviting thousands of researchers to find vulnerabilities — with the added complexities of coordinating vulnerability disclosures.
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
But this created its own massive operational problem: a firehose of noise, false positives, and duplicates. Bug bounty platforms emerged to solve this, promising to act as the signal filter. They would take on the burden of triage, validation, and communication, delivering a clean, manageable list of bugs.
It was a great pitch. Unfortunately, that business model has broken down. These platforms, designed to manage chaos, are being consumed by it. They are the struggling middlemen in a failing system, and for organizations that care about actual risk reduction, their demise can’t come soon enough.
The
future of security testing isn't about managing a crowd of bug hunters finding duplicate and low-quality bugs: it's about accessing on demand the best experts to find and fix exploitable vulnerabilities—as part of a continuous, programmatic, offensive security program.
A middleman wrapped in red tape
A bug bounty platform added value because of its triage process. They are the filter. But that filter has gotten perpetually clogged. For every valuable submission, they receive thousands of low-quality, duplicate findings from hunters using the same tools, and generating
AI reports. This unleashes a deluge of submissions that their staff — some who are not qualified to understand the findings—must sort through.
Their customers often don't see the web of administrative red tape this creates. The process of triaging submissions, validating findings that are often impossible to reproduce, proving exploitability, and negotiating disclosures, became an immense manual effort. It’s a slow, archaic process ill-suited for the rapid pace of modern development.
Here's the fatal flaw in the bug bounty platform's business model: their financial incentives are misaligned with their customers' security needs.
It requires significant and costly work to prove that a submitted bug is an exploitable vulnerability. For complex vulnerabilities — like a remote code execution in a specialized hardware device — the bug bounty company often lacks the deep subject matter expertise to validate the finding. Consequently, they are forced to subcontract the validation work to external specialists, typically larger pentesting firms.
It's a raw cost that eats directly into their profit margin. This creates a terrible incentive: there’s high pressure on the bug bounty company to automatically reject submissions or assign a lower severity rating to limit the number of bugs that require expensive human validation. The platform has become financially motivated to avoid the costly process of finding the very things their customers are paying them to find.
The rise of AI bug hunters
If the operational and economic model wasn't already on life support, the rise of
AI-powered bug hunting has pulled the plug. Newly minted AI pentesting companies have developed advanced, AI-enabled fuzzers that now dominate bug bounty leaderboards. They are simply better and faster at finding entire classes of low-level bugs than the average human hunter.
This has turned the firehose of junk submissions into a smarter, higher-pressure torrent. Bug bounty platforms are now completely overwhelmed by the volume and complexity of AI-found bugs, which their manual, economically strained triage processes are simply not equipped to handle.
I expect a large impact on the bug bounty companies once AI pentesting becomes more accepted. The most successful AI pentesting companies will (short-term) position their products as an advanced tool that augments and levels up the DevSecOps pipeline. They will leverage these tools directly by dev teams rather than security teams looking for an AI pentester companion.
In that go-to-market model, AI pentesting will capture most of the bugs currently being found and submitted to bug bounty programs — reducing bug bounty pools for payment, and reducing the need for managed bug bounty providers.
It’s unlikely bug bounty platforms can survive long-term when they have the overhead of validating findings from AI tools that are already smarter than their confirmation process.
That’s why a modern PenTesting-as-a-Service (PTaaS) model has so much promise. It’s designed to completely bypass the chaotic and broken middleman system.
On a PTaaS platform,
AI serves as a powerful force multiplier for elite, vetted pentesters. The discovery, triage, and validation of vulnerabilities are integral parts of the service, not a separate, painful process inflicted on customers.
Instead of a filtered list of someone else's noisy bug submissions, the customer receives a clean, high-signal report of validated, exploitable vulnerabilities with clear remediation guidance. It's a direct partnership focused on accelerating risk mitigation, not just managing a bug queue.
The era of outsourcing security to a chaotic crowd managed by a struggling intermediary has ended. The bug bounty middlemen are dying. Stop paying for noise — and start investing in clarity.
Gunter Ollmann, chief technology officer, CobaltSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
