TL;DR AI-assisted vulnerability discovery has broken the bug bounty model. HackerOne paused its Internet Bug Bounty program, Curl killed its bounty payments (then quietly came back without them), and Linus Torvalds calls the Linux kernel's security mailing list "almost entirely unmanageable." Report volumes are up 76% year-over-year, but only 25% flag real flaws. The same AI models also found 500+ zero-days in major projects and drove CVE disclosure surges of 563% in Chrome and 476% in GitHub products. The security community is split between researchers who can't process the flood and AI tools that keep making it worse. The Inbox I Can't Keep Up With I run a small open-source project on the side. Nothing close to the scale of Curl or the Linux kernel, but enough to get the occasional security report through GitHub advisories. In early 2025, I'd see maybe one report a quarter. By March 2026, I got seven in a single week. Six of them cited functions that don't exist in my codebase.…