AI-Powered Vulnerability Detection Is Collapsing the Bug Bounty Economics

The Supply Shock: From Scarcity to Abundance

Agentic AI models have inverted the scarcity assumption that shaped vulnerability disclosure programs for two decades. According to Wired AI, independent security researcher Joseph Thacker has submitted roughly three times more bugs in the past year compared to the prior year, and he projects that major companies like Google will spend 2–10 times as much on bug bounties as they did previously. The inflection point is clear: machines can now enumerate vulnerabilities faster than humans can review them, process them, or deploy patches.

This supply shock is reordering the economics of security research. Researchers who have built careers around manual vulnerability discovery—finding market inefficiencies in software and selling findings to companies through structured programs—are now competing with automated systems that scale without fatigue. Wired AI notes that while low- and medium-difficulty bugs are flooding in this year, next year may see fewer human submissions as AI tools have already harvested the obvious vulnerabilities.

The 90-Day Disclosure Window Is Obsolete

The traditional responsible disclosure timeline, which typically allows 90 days between discovery and public announcement, was designed for a world where vulnerability discovery and exploit development were human-paced activities. That assumption no longer holds. Security researcher Himanshu Anand, cited in Wired AI’s reporting, observed that “LLMs have compressed both timelines”—research and weaponization now happen in parallel and at machine speed.

This compression creates cascading consequences. Developers face pressure to patch faster, which can increase the risk of deployment errors. Patch proliferation at scale introduces operational complexity; rolling out security updates without proper testing can trigger unintended system outages or service disruptions. The old window gave organizations breathing room. That room has closed.

Asymmetric Risk for Small and Mid-Market Companies

Wired AI’s reporting highlights a bifurcation in organizational readiness. Tech giants can absorb large increases in bounty payouts and maintain robust patch-management infrastructure. Most other companies cannot. As vulnerability discovery volume increases and disclosure timelines compress, smaller organizations face a squeeze: they receive more reports but have less time to respond, while their bounty budgets are less elastic than those of trillion-dollar platforms.

Thacker acknowledged the uncertainty around how long-term supply and demand will stabilize. If AI-assisted exploit development becomes widely accessible to attackers—which appears likely—defenders face a compounding problem: not only do vulnerabilities emerge faster, but the time window to patch before exploitation shrinks in tandem.

Why This Matters

The vulnerability disclosure ecosystem was designed as a negotiated détente between researchers and institutions. Raising bounty payouts was one mechanism to incentivize responsible reporting over public disclosure or quiet sale to attackers. That negotiation relied on scarcity—vulnerability discovery was expensive and slow.

Automation collapses both assumptions. Organizations that depend on the bug bounty program’s efficiency—small vendors with limited security staff, open-source projects with volunteer maintainers—will face the heaviest pressure. The standard 90-day disclosure window, which seemed like a durable norm last year, may become untenable if threat actors field similar AI tooling before patches deploy at scale. The result may be a bifurcated disclosure landscape: tight, automated timelines for high-stakes targets and slower processes for everything else—exactly the fragmentation that responsible disclosure programs were built to prevent.