Zero Day Initiative — AI-Driven Bug Submission Surge Forces Major Programs to Pause

AI relevance: Automated vulnerability discovery by AI coding agents and LLM-assisted research is flooding bug bounty programs with submissions, forcing major disclosure channels to pause or restructure while the quality and severity of AI-found bugs simultaneously increases.

• The Zero Day Initiative (ZDI), run by Trend Micro and the world's largest vendor-agnostic bug bounty program, reported a 490% increase in submissions in April 2026 compared to April 2025, according to data shared with Mashable.
• The Internet Bug Bounty (IBB) program, administered by HackerOne and funded by major tech companies, announced on March 27 that it is pausing all submissions entirely, citing that AI-assisted research is "expanding vulnerability discovery across the ecosystem" and changing the landscape of bug discovery.
• cURL lead developer Daniel Stenberg paused the cURL bug bounty in January 2026 after receiving more reports in 2025 than the previous two years combined, with volume expected to double again in 2026.
• The character of submissions has shifted: Stenberg confirmed in April that over 20 open-source projects now report receiving "decently high-quality security reports" from AI tools — a reversal from the low-quality noise that dominated 2025.
• Anthropic's Claude Mythos discovery campaign compounds the problem: the company stated that fewer than 1% of vulnerabilities discovered so far have been fully patched, and that it had to hire security contractors simply to manage the disclosure pipeline.
• The strain cascades to maintainers: even confirmed vulnerabilities face delayed patches because triage teams cannot process the volume, creating a growing backlog of unpatched, AI-discovered flaws in production software.

Why it matters

AI vulnerability discovery was previously dismissed as generating mostly false positives. That has changed. The combination of Claude Mythos-class capability and widespread use of AI coding assistants means the absolute number of real vulnerabilities found is growing faster than maintainers can patch them. This creates a widening window of exposure: bugs exist, are known to researchers, but remain unfixed in production. The IBB shutdown removes one of the few structured coordination channels for cross-vendor vulnerabilities, potentially pushing more reports into uncoordinated disclosure or, worse, exploit development.

What to do

• Monitor unpatched AI-discovered CVEs in your dependency tree. The patch lag means vulnerabilities may be known but unpatched for months. Use automated dependency scanning (Dependabot, Renovate) with expedited review for security advisories.
• Track alternative disclosure channels. With IBB paused, researchers may disclose via individual vendor programs or public channels. Subscribe to HackerOne, OpenSSF, and direct vendor security mailing lists.
• Pressure-test your triage process. If your organization runs a bug bounty, expect AI-driven volume increases. Build automated deduplication and severity triage to avoid maintainer burnout.

Sources

• Mashable — AI has led to a zero-day bug discovery crisis (April 2026)
• Internet Bug Bounty — Submission pause announcement
• Daniel Stenberg — High-quality chaos (April 2026)
• Anthropic — Claude Mythos Preview (April 7, 2026)