GitHub Cuts Cash Bounties for Low-Impact Bugs, Urges Researchers to Focus on Real Threats
Breaking: GitHub Overhauls Bug Bounty Program, Cuts Cash Rewards for Low-Severity Reports
GitHub has announced a major shift in its bug bounty program, replacing cash payouts with swag for low-impact security reports and calling on researchers to stop submitting low-quality or out-of-scope findings. The move comes as the platform experiences a surge in submissions, many generated by AI tools that fail to demonstrate real security threats.

According to Jarom Brown, a senior security researcher at GitHub, "Not every valid submission represents a meaningful security risk. Some reports identify hardening opportunities or documentation gaps." Brown emphasized that the company still values researcher contributions but needs to focus on genuine vulnerabilities.
Background
GitHub’s bug bounty program has long offered cash rewards for security flaws found on its platform. Over the past year, the volume of submissions has skyrocketed, driven by new generative AI tools that can automate the search for weak points.
Brown explained that many reports describe out-of-scope scenarios where a user interacts with malicious content. "These reports are often well-written and technically accurate, but they misunderstand where the security boundary lies," he wrote in a blog post. When an attack requires the victim to actively engage with attacker-controlled content, it does not represent a bypass of GitHub’s controls.
The company now asks researchers to avoid submissions about issues that are not GitHub’s fault. This includes reports lacking a proof of concept, theoretical attacks that don’t hold up, and those already listed as ineligible for rewards.

What This Means
Researchers will now receive only swag—merchandise like stickers and t-shirts—for low-severity reports. High-impact vulnerabilities still qualify for cash bounties, but the bar for what constitutes a real threat has been raised.
Brown made clear that GitHub welcomes AI tools in security research: "AI is a force multiplier, and we expect it to play an increasing role in security research." However, all AI-generated submissions must be reviewed and validated by a human beforehand. This rule applies to any tool used in bug hunting.
GitHub is not alone in struggling with AI-generated noise. Industry analysts note that security vendors, open-source maintainers, and bug bounty platforms are increasingly complaining about low-quality automated reports. Open-source project Curl has eliminated its bug bounty due to "AI slop," and HackerOne paused payouts for certain categories last year.
For researchers, the takeaway is clear: focus on high-impact, verified vulnerabilities. GitHub’s move aims to streamline its triage process and ensure that legitimate threats get prompt attention, while reducing wasted effort on noise.
Related Articles
- Inside Spider-Noir: Oren Uziel on Crafting Nicolas Cage's Gritty 1930s Spider-Man Saga
- Mastering the Art of Reviewing Agent-Generated Pull Requests
- Decoding Cambrian Fossils: A Guide to Understanding Early Life's Greatest Treasure Trove
- Your Daily Coffee Routine: A Step-by-Step Guide to Reducing Dementia Risk
- Uncovering Fast16: A Step-by-Step Guide to Analyzing Stealthy Sabotage Malware
- Your Summer Launchpad: A Step-by-Step Guide to NASA's STEM Activities
- Mars Rover Curiosity's Sticky Rock: 6 Fascinating Facts
- VS Code Python Environments Extension Gets Major Performance Overhaul in April 2026 Update