Why vulnerability reports are no longer 'special': the false-alarm problem in the bug-bounty ecosystem

Filippo Valsorda, former Go programming language security lead and now an independent security researcher, summarized a fundamental problem with the modern bug-bounty ecosystem in a blog post on Monday: vulnerability reports are no longer "special," and the situation has become a serious challenge for open-source maintainers. The post was discussed at the top of Hacker News throughout the day.

Valsorda's argument is straightforward: in the 2010s, a vulnerability report was a relatively rare, attention-grabbing event for a project's team. It would typically be an email from an experienced researcher full of detailed evidence and recommendations. In 2026, in an environment with automated scanners and AI-generated reports, this structure has changed.

The main claim of the post is that as the volume of reports has risen, the signal-to-noise ratio has fallen. Valsorda says that an open-source maintainer can receive dozens of "I found something" reports per week, but the overwhelming majority are either false positives (no problem), poorly described (missing evidence), or duplicates of known issues.

The post summarized a point that Valsorda especially emphasized: "Bug bounty programs were designed as an attack-surface-reduction tool; but for maintainers they have become a spam-management system." The post suggests this is accelerating burnout among voluntary open-source maintainers.

Valsorda said the problem has several sources. First, AI-generated reports. Both large language models (LLMs) and automated static-analysis tools are producing reports of findings that are not real or that are overstated. Second, the reward incentives at bug-bounty platforms (HackerOne, Bugcrowd) tend to reward quantity of reports.

The post highlights that the open-source ecosystem (projects such as the Linux Kernel, OpenSSL, FFmpeg) is the segment most affected by this dynamic. The maintainers of these projects do not have the personnel resources to keep up with the changes in the reporting ecosystem. CVE assignment processes, depending on MITRE's limited capacity, are already delayed.

Google's Project Zero team made a similar point in a blog post last year: "automated scans are not a meaningful signal for us, and most often are noise." Project Zero accepts only findings verified by hands-on research in its own work.

At the center of Valsorda's proposed solutions is a redesign of the reporting process. His suggestions include: (1) an automated verification layer that sets priority order, (2) wider distribution of CVE-assignment authority, (3) restructuring bug bounty reward systems toward repeated, high-quality evidence providers instead of one-shot reports, and (4) separate classification of AI-generated reports.

GitHub Security Lab director Bas Alberts joined the Hacker News discussion with a comment: "Valsorda's argument aligns with what we see on GitHub. AI-generated reports require much stricter validation to pass an acceptable quality threshold." Alberts added that GitHub will refresh its report-validation structure later this year.

Valsorda's post is part of a wider industry debate: how should the economic incentives of security research be rebalanced? If rewards encourage quantity of reports, the field will naturally generate noise. A redesign is needed, or, as Valsorda also notes, a new financial framework for the protection of the open-source ecosystem.