al-ice.ai

HackerOne — Prompt Injection Reports Surge 540% Year-over-Year

Security by al-ice.ai Editorial

AI relevance: The dramatic rise in bug-bounty submissions for prompt injection and AI-specific vulnerabilities signals that the AI attack surface has matured from theoretical risk into a heavily-researched, actively-exploited domain — and that defenders need to treat agent interfaces with the same rigor as network endpoints.

The numbers

  • AI vulnerability reports on HackerOne surged more than 200% year-over-year in 2025, according to data compiled by the StingRai research team from HackerOne's public disclosure data.
  • Prompt injection submissions alone jumped 540% — the single fastest-growing vulnerability category across the entire platform.
  • For context, total public CVEs reached 48,185 in 2025, up 20.6% from 2024's record 40,009.
  • The NVD transitioned to a triage model on April 15, 2026, enriching only the 15–20% of incoming CVEs that intersect CISA's KEV list or federal-critical software — leaving the long tail of AI-specific findings largely un-enriched.
  • Mandiant's M-Trends 2026 reports mean time to exploit at negative seven days — attackers routinely find and exploit bugs before patches ship, and AI agents that auto-execute code from untrusted sources compress this window further.

Why it matters

  • The 540% spike isn't noise — it reflects real-world bug hunters finding exploitable injection vectors in production AI agents, IDEs, and MCP-connected tooling at scale.
  • Traditional bug-bounty programs weren't designed for vulnerabilities where the "exploit" is natural language, not binary payloads. Triage and severity scoring are still catching up.
  • As AI agents gain tool access (file system, APIs, payments, email), the impact surface of a successful injection attack grows from content manipulation to real-world action.
  • The gap between vulnerability discovery and remediation is widening: NVD no longer enriches most CVEs, and AI-specific findings lack standardized severity frameworks.

What to do

  • Run AI-specific vulnerability scanning alongside traditional SAST/DAST — tools like NVIDIA's garak, Microsoft's MDASH, and agent firewalls (e.g., pipelock) catch injection vectors conventional scanners miss.
  • Enforce data-instruction boundaries: any content ingested by an agent from untrusted sources (web pages, emails, retrieved documents) must be treated as potentially adversarial.
  • Prioritize prompt injection in your threat model — the 540% surge means you are competing with thousands of independent researchers who are actively looking for these flaws in your systems.
  • Watch CISA KEV and MITRE ATLAS for emerging AI-specific exploit patterns — the NVD's triage model means you can no longer rely on automatic CVE enrichment for early warning.

Sources: