Executive summary The use of AI in vulnerability discovery brings both significant benefits and risks, particularly the potential for generating false positives and inaccurate vulnerability reports. An influx of unverified, AI-generated CVEs can overwhelm security databases, erode trust in the research process, and divert attention from genuine threats. Real-world cases, such as the shutdown of curl’s bug bounty program, highlight the operational challenges and negative impacts of low-quality AI-driven submissions. Human oversight is crucial for validating AI findings, ensuring that only legitimate vulnerabilities are reported, and maintaining the integrity of the CVE system. In the ever-evolving landscape of cybersecurity, the application of artificial intelligence (AI) in vulnerability discovery has emerged as a powerful tool. However, this tool, like any technology, carries risks that must be carefully managed.…