On April 13th, HackerOne, a vulnerability bounty platform, announced that due to the large number of users using AI scanning to submit vulnerability reports in recent years, the balance of the open-source ecosystem has been disrupted. The speed at which vulnerabilities are discovered cannot keep up with the speed at which they are fixed, and there are also many fake vulnerability reports. Therefore, effective immediately, the platform’s Internet Bug Bounty Program (IBB) will stop accepting new vulnerability submissions. This change quickly affected several open-source projects.
Node.js subsequently issued a statement saying that due to the suspension of HackerOne’s corresponding bounty program, its funding source for vulnerability rewards has been cut off. As a community-volunteer-led open-source project, Node.js does not have an independent budget to continuously pay vulnerability bounties; therefore, without external funding support, it will suspend rewards for vulnerability reporters.
However, Node.js emphasizes that the vulnerability submission process remains unchanged, and researchers can still submit issues through the HackerOne platform. The project team will continue to treat vulnerabilities with equal priority, and related disclosure policies, response times, and patch release processes remain unchanged.
Public information shows that HackerOne’s “Internet Bug Bounty Program,” funded by multiple software companies, officially launched in 2012, primarily provides a series of cash rewards to vulnerability discoverers, with cumulative payouts exceeding $1.5 million.
Regarding this change at Node.js, security company Socket points out that before HackerOne’s “Internet Bug Bounty Program” stopped accepting new vulnerability submissions, Node.js had already begun adjusting its bug bounty mechanism, significantly raising the submission threshold. This was mainly because the reward mechanism attracted a large number of low-quality AI-generated fake vulnerability reports. However, whenever a vulnerability report was encountered, developers needed to invest a lot of effort in verification, placing a significant burden on volunteer maintainers.
It is worth noting that Node.js is not the only project affected by AI-generated vulnerability exploitation. For example, in January of this year, cURL also announced the termination of its bug bounty program, also due to being bombarded with low-quality vulnerability reports generated by AI.
About The Author
