Futures
Access hundreds of perpetual contracts
TradFi
Gold
One platform for global traditional assets
Options
Hot
Trade European-style vanilla options
Unified Account
Maximize your capital efficiency
Demo Trading
Introduction to Futures Trading
Learn the basics of futures trading
Futures Events
Join events to earn rewards
Demo Trading
Use virtual funds to practice risk-free trading
Launch
CandyDrop
Collect candies to earn airdrops
Launchpool
Quick staking, earn potential new tokens
HODLer Airdrop
Hold GT and get massive airdrops for free
Pre-IPOs
Unlock full access to global stock IPOs
Alpha Points
Trade on-chain assets and earn airdrops
Futures Points
Earn futures points and claim airdrop rewards
AI Starts "Wool Shearing": Node.js Forced to Halt Bounty Due to Fake Vulnerability Reports
AI can write code, review code, and now it can also flood vulnerability reports.
On April 13th, HackerOne officially paused its 14-year-running "Internet Bug Bounty Program" (IBB), no longer accepting new vulnerability submissions.
The superficial reason is platform strategic adjustment; the real reason is only one: AI-generated fake vulnerability reports overwhelmed the maintainers.
HackerOne's official statement was: AI tools make vulnerability discovery far faster than fixing, flooding the platform with low-quality, false, and even forged reports, completely disrupting the open-source community's balance.
And the first to fall is Node.js.
The Node.js official then announced: due to the suspension of HackerOne's bounty program, the project will stop rewarding vulnerability reporters.
As a purely community-driven open-source project, Node.js has no independent budget to maintain a bounty pool. Once external funding stops, the bounties are directly zeroed out.
In fact, before HackerOne officially paused, Node.js had already been forced to make adjustments.
Security company Socket pointed out that Node.js had previously significantly raised the submission threshold, but it couldn't withstand the flood of AI tools—each report required volunteers to spend a lot of effort verifying, and nine out of ten reports were AI-generated.
Moreover, Node.js is not the first to fall.
In January this year, cURL founder Daniel Stenberg announced the termination of its bug bounty program for the same reason: within a week, the team received 7 AI-generated "pseudo-vulnerability reports" totaling 16 hours of work, which appeared linguistically rigorous and structurally complete, but after manual verification, they were all junk.
He called these kinds of reports "AI Slop"—seemingly reasonable but actually useless redundant garbage.
The absurdity of this situation is that the bug bounty mechanism was originally meant to incentivize high-quality security research with real money, but AI has lowered the threshold for submitting reports to zero—running through the codebase with AI, automatically generating dozens of seemingly legitimate reports, submitting blindly, and if just one hits the mark, it’s a win.
Maintainers are drowning in garbage reports, leaving no time to review genuine vulnerabilities. $ETH
{spot}(ETHUSDT)