Last month, I launched Claude on a private program one evening. By the next morning, it had found me about ten bugs. Without me doing anything. Sounds great on paper. Except half of them were duplicates, and the rest took weeks to get triaged because the report queue on that program had become unmanageable. Welcome to bug bounty in 2026.
I've been doing bug bounty full time for 4 years now. I've watched this discipline evolve, for better and for worse depending on how you look at it, and we're going to break it all down today. This is not a neutral article. I have a conviction: bug bounty as we know it is dying. What comes next can be better, if we play it right.
I'm also working on a practical guide on how to actually use AI in bug bounty with all the tools dropping every day, so you don't get lost. If you want to know when it's out, subscribe.
Alright, let's talk about what's happening right now. Since December 2025, AI agents becoming accessible to everyone started shaking things up. Agents existed before that, but it was experimental, you had to build them yourself and configure them properly. Since Claude Code brought this to the public, things have shifted.
But does that mean bug bounty is dead? No. Let's nuance this.
The AI tsunami on bug bounty
Let's start with the negatives so we can end on a more constructive note.
The hunter drowning in noise
As a hunter, we now have an arsenal of agents that can look for bugs on our behalf, 24/7 (when they actually work).
Everyone is getting a Claude Max subscription, launching it on all their targets, white box or black box, with MCPs, Chrome instances connected to a proxy to intercept and replay requests. And there's a cool side to it, but we'll get to that.
What I notice most is that it massively dilutes our focus. With all this, we want to go fast, we want the AI working for us all the time. We end up in a constant mental fog, jumping from one tmux pane to another, switching from one program to the next.
We're also facing much longer delays. Where before there were already maybe 80% bad reports or automation, now it's hitting new highs. And you can see it: many bug bounty platforms are mass-hiring new triagers who aren't necessarily well-trained, which stretches triage times and especially payment times. This is already an uncertain job, and that doesn't help.
We also waste a ridiculous amount of time tweaking our Claude setup, checking the news, trying the latest trendy tool or skill. It can be a good thing, or it can be fake productivity. You're never sure you're up to date, and you spend more time configuring your tools than actually hunting. Obviously, this is my perspective and my feeling. There are hunters who keep doing things the old way with zero issues.
There's also this constant fear of seeing the next Anthropic announcement, the benchmarks that send chills down your spine, the vulnerabilities found in browsers that could take years of research for some hackers, reduced to a few hours with the latest models.
At the end of the day, it's like automation, but at a massive scale, and everyone is using it at the same time. For the next live hacking events, I'm afraid it's going to be mostly an army of agents ready to be deployed on the target, a huge number of duplicates, and exhausted triagers.
Everyone now thinks they can be a bug hunter with a Claude subscription and some spare time. And that's both true and false. Yes, Claude will find bugs, just like a good scanner could back in the day. But there's still work to do if you don't want to get left behind.
Platforms under pressure
On the platform side, I'm not part of any, but from what I see and hear, it's a mess. Triagers hired in bulk, not necessarily prepared for what they're about to receive.
Mediocre reports inflated with "CRITICAL FINDING" for some low-severity garbage. It's exhausting. It takes time from triagers, it erodes credibility from platforms that can't handle the flood, and it wastes time for hunters who do solid work and report real vulnerabilities.
We also keep hearing about models trained on our reports. True or not, we don't know, but it's probably what's coming. HackerOne has started investing heavily in AI, both for report submission and triage. And when you see the quality of some triages on that platform, adding an AI layer on top risks bringing even more friction.
Clients pulling back
Companies running bug bounty programs are getting hit hard too. They're receiving an unprecedented volume of reports, not always good ones, but sometimes really good ones too, let's be honest. Result: they have to pay a lot of bounties, and that's scary.
So more and more companies are stepping back from bug bounty, while others increase their rewards or change their policy. Google for example raised their VRP payouts recently, but not everyone can afford that.
Some public programs have gone private given the volume of reports received. That's understandable.
And most importantly: why keep doing bug bounty when you can just run Claude internally with full knowledge of your codebase and source code?
That's what's starting to happen. We're getting internal duplicates because companies are also running Claude on their own code, and rightfully so. It's become a race to who hits the scope first.
The picture is pretty dark so far. But there are concrete reasons not to panic.
Why the hunter isn't dead
Being scared is fine, but if we let Opus and the next models take everything we do, it's game over.
We haven't lost everything yet, whether as a hunter, a platform, or a client.
First, since everyone is vibe coding now, and vibe code creates bugs, there will always be bugs. And even without vibe coding, as long as there are programs, websites, applications, even coded by AI trained on human code, there will always be mistakes.
The augmented hunter
There are several ways to face this wave. The first: get on the train and use Claude or any other AI daily, as an assistant to find bugs.
It's a bit like automation in itself. It helps find bugs that are "easy" to find in the first place. But for now, business logic bugs, complex chains, or anything slightly sophisticated, you still need human understanding. You just have to set aside the frustration of processing times, of Claude screaming "CRITICAL FINDING" for a missing SPF record.
Concretely, I've started finding quite a few interesting bugs on attack surfaces we wouldn't have dug into ourselves. One example: on a recent program, Claude identified a permission chain across three endpoints that I probably would never have connected manually. Where that kind of task could have taken several days of code reading, it was wrapped up in an afternoon while I was doing something else.
But now is the time to be truly creative and stop chasing low findings. It's possible, but you have to be first on it, and it's frustrating and tiring.
I'll be publishing a guide here soon on how I use AI daily in bug bounty, which I'll try to keep updated as things evolve. Subscribe if you want to get it directly.
Research as the new playground
Another interesting area to explore is specific research. Where before it could take months to ramp up on a target to find 0days, the barrier to entry has gotten much lower.
Just look at the browser research done recently with Opus 4.6, it's insane. One way to keep going in this field is to explore and find new techniques on open source projects, then scale into bug bounty.
Creativity as the last edge
What's going to make the difference now is creativity in how we hunt. Where technical expertise was the big barrier to entry, it's been drastically lowered by AI.
But that's not enough to find big bugs. Our expertise still lets us steer AI toward the right lead, to know where to dig. And that's where we still have a card to play. For how long, I don't know, but might as well make the most of it.
Building expertise in a domain will always be useful. And I have no doubt we'll all know how to pivot, whether into another cybersecurity discipline or something else entirely. It's scary and that's normal, but it's like every evolution. We're part of the first wave to realize it, so let's make something good out of it.
If you want to build an app, it's easy now. The time between an idea and a finished product has dropped drastically. It will create bad and incomplete products, but the most interesting ones will come out on top. Everyone has a card to play here.
On my side, you can follow the progress of my projects here on this blog. I'm not going to do only bug bounty but put my eggs in other baskets, for safety but mostly for fun.
What platforms and clients gain from this
Companies are starting to use AI too, more moderately than hunters, and that's normal. Handing over an entire codebase to Claude, a codebase that took years to build, you have to be careful.
On the other hand, from a security perspective, it's also a good thing. It helps secure apps in a new way and gives another perspective on your own security.
And for small companies that can't afford three pentests a year, having Claude do a broad sweep is an excellent idea.
On the platform side, using AI partly to analyze reports and detect duplicates more easily can help. A real triager will always be necessary for the technical analysis of a bug, but being assisted by AI helps move faster.
In the end, it can greatly improve the security of the systems we use, if it's used well and with good intent. Not everyone uses it the right way, myself included on some projects, but we'll see where it takes us.
What I believe is coming
The bug bounty of 2024 is dead. The one in 2026 is a different sport. The hunters who will make it are not those who launch the most agents, but those who know what to look for and where to look. AI is a multiplier, not a replacement. If you multiply zero by a thousand, it's still zero.
My conviction: in a year, the market will polarize. On one side, augmented hunters finding complex bugs faster than ever. On the other, an ocean of noise generated by poorly piloted agents. The platforms that figure out how to filter that noise will survive. The rest won't.
And we, as hunters, have a simple choice. Complain that things were better before, or learn to play by the new rules. I know what I'm choosing.
Tell me in the comments or on X what you think. And share this article if you know hunters or security people asking themselves the same questions.
Every Wednesday, I write about my progress in cybersecurity and other topics I'm into. If that sounds like your thing, subscribe.
Comments