The Drum · Weekly AI news, freeSubscribe →
Share
In a move that has sent ripples through the cybersecurity community, HackerOne has slashed its bug bounty rewards by more than 75%, raising questions about the future of ethical hacking and open-source security.
Finding vulnerabilities just doesn't pay like it used to. At least one bug hunter who reported an open-source security flaw months ago via HackerOne’s Internet Bug Bounty (IBB) program finally received payment, but at a drastically reduced reward rate. The security researcher found a medium-severity vulnerability that previously paid $1,843. As of Monday, HackerOne’s IBB pays just $297 for the same severity level.
The reductions are widespread. Critical vulnerabilities now fetch $2,257, down from $9,250. High-severity bugs are rewarded with $1,009, compared to the previous $4,429 payout. Low-severity bugs earn researchers a mere $68, down from $597.
The drastic reduction in rewards has sparked outrage among security researchers who rely on these bounties for income and recognition. Jakub Ciolek, a well-known hacker, previously told The Register that he reported a critical vulnerability to HackerOne but faced significant delays in receiving his $8,500 bounty. “HackerOne ghosted me for months,” Ciolek said. “This new reward structure is a slap in the face to the security community.”
The IBB program remains on pause and is not accepting new submissions. A spokesperson from HackerOne explained that the program is under review to "maximize value to researchers, sponsors, and the open-source ecosystem." However, this explanation has done little to assuage concerns among researchers who feel their contributions are being undervalued.
The reduction in rewards also comes at a time when AI-generated reports are becoming more prevalent. When asked if AI played a role in the pause and reduced reward amounts, HackerOne’s spokesperson did not provide a direct answer. Instead, they stated that bounty levels automatically adjust based on sponsor contributions, and payouts are regularly reviewed as outlined in the IBB program description.
HackerOne's decision to cut bug bounty rewards by more than 75% highlights the ongoing challenges in balancing the needs of security researchers, sponsors, and open-source projects. While the company aims to optimize its programs for all stakeholders, the drastic reduction in payouts risks demotivating ethical hackers at a time when cybersecurity threats are more prevalent than ever. The future of the IBB program and its impact on the broader security community remain uncertain as HackerOne evaluates its next steps.
Tags
Original Sources
HackerOne takes an axe to its bug bounty rewards
↗ https://www.theregister.com/security/2026/05/21/hackerone-takes-an-axe-to-its-bug-bounty-rewards/5244458
About the author
Marcus began tracking AI's market implications in 2016, noticing AI-related patent filings accelerating ahead of earnings upgrades before most of the sell-side had caught on. A former fixed-income quantitative analyst, he spent two decades building models that priced risk across emerging markets before pivoting to cover the economic impact of AI full-time. His writing translates opaque technical developments into clear risk/reward terms — and he's rarely diplomatic about the gap between AI valuations and underlying fundamentals. He believes most market participants still underestimate AI's long-run deflationary effect on knowledge work.
More from The Analyst →This Week's Edition
3 June 2026
133 articles
Related Articles
Related Articles
More Stories
