GitHub swaps cash for swag bounties

GitHub is changing its bug bounty program to manage a surge in low-quality, AI-assisted vulnerability reports, offering swag instead of cash for some.

GitHub is officially changing its bug bounty program in response to a significant increase in vulnerability submissions. The company's security team has observed a surge in low-quality reports, attributing the trend to the growing use of AI-assisted security tools. These automated tools often generate a high volume of generic or invalid findings, overwhelming the program's reviewers. To address this, GitHub is tightening its submission standards. A key part of this new policy involves changing the reward structure. For certain lower-impact or less creative vulnerability discoveries, GitHub will now offer company merchandise, or "swag," as a reward instead of a cash payment.

This policy change highlights a growing challenge for organizations that run public bug bounty programs. The rise of AI in security research is creating a "deluge" of reports that can drown out genuine, high-impact vulnerabilities, consuming valuable time and resources from security teams. By introducing non-cash rewards for less critical bugs, GitHub aims to better manage its resources and focus on rewarding researchers who uncover more serious security flaws. This sets a new precedent that could influence how other companies adapt their own bounty programs to the new reality of AI-driven security scanning, emphasizing the value of human expertise over automated report generation.

This signals a major shift in how companies might handle bug bounty programs in the age of AI. The focus is moving from rewarding all valid reports to prioritizing high-quality, human-driven research over low-effort, automated submissions, potentially changing the economics for security researchers.

Companies running bug bounty programs may see reduced costs from low-impact payouts and can better allocate security team resources to investigate serious threats. However, it could also disincentivize some researchers from reporting minor flaws, which could still pose a cumulative risk if left unaddressed.