%20--%3e%3cdefs%3e%3cstyle%3e%20.st0%20{%20fill:%20%23061b40;%20}%20.st1%20{%20fill:%20%23306af1;%20}%20.st2%20{%20fill:%20%235ce5cf;%20}%20%3c/style%3e%3c/defs%3e%3cg%3e%3cpath%20class='st0'%20d='M55,10.5h9v3h-9v9h12V7.5h-12v3ZM64,19.5h-6v-3h6v3Z'/%3e%3cpolygon%20class='st0'%20points='69%2016.5%2078%2016.5%2078%2019.5%2069%2019.5%2069%2022.5%2081%2022.5%2081%2013.5%2072%2013.5%2072%2010.5%2081%2010.5%2081%207.5%2069%207.5%2069%2016.5'/%3e%3cpolygon%20class='st0'%20points='95%2010.5%2095%207.5%2083%207.5%2083%2022.5%2095%2022.5%2095%2019.5%2086%2019.5%2086%2016.5%2095%2016.5%2095%2013.5%2086%2013.5%2086%2010.5%2095%2010.5'/%3e%3cpath%20class='st0'%20d='M40,1.5v21h11.6l1.4-1.4v-7.6h0c0,0-1.4-1.5-1.4-1.5l1.4-1.4V2.9l-1.4-1.4h-11.6ZM50,19.5h-7v-6h7v6ZM50,10.5h-7v-6h7v6Z'/%3e%3c/g%3e%3cpath%20class='st1'%20d='M23.1,24L14.7,4.8l-4.9,11.2h3.8l-1.8,4H3.3L12.1,0H2C.9,0,0,.9,0,2v20c0,1.1.9,2,2,2h21.1Z'/%3e%3cpath%20class='st2'%20d='M34,0h-16.8l10.6,24h6.2c1.1,0,2-.9,2-2V2C36,.9,35.1,0,34,0ZM32.5,20h-4V4h4v16Z'/%3e%3c/svg%3e)
Due to the rampant issue of AI-generated fake vulnerability reports, the official team of the well-known open-source project Node.js has announced a suspension of cash rewards for vulnerability reporters through the HackerOne platform.
The vulnerability bounty platform HackerOne stated that in recent years, a large number of users have used AI tools to scan and submit vulnerabilities in bulk. This behavior has disrupted the balance of the open-source community: the speed at which vulnerabilities (or suspected vulnerabilities) are discovered far exceeds the speed at which developers can fix them. More seriously, these reports are filled with a large number of low-quality, false positives, or even fabricated reports.
To address this, the "Internet Bug Bounty Program" (IBB) on HackerOne has stopped accepting new reports, which directly cut off the external source of Node.js's reward funds.
As a project led by community volunteers, Node.js does not have an independent budget to pay bounties. Security company Socket pointed out that Node.js has already been adjusting its mechanisms:
Review burden: Each report requires developers to spend a lot of time verifying, and low-quality content generated by AI greatly wastes the time of volunteer maintainers.
Higher thresholds: In order to resist AI attacks, the project team previously significantly raised the submission threshold, but it is still difficult to resist the impact of automated tools.
The process remains unchanged, only the bounty is suspended
Node.js emphasized that although the bounty is suspended, the security assurance has not been "reduced":
Submission process: Researchers can still submit vulnerabilities through HackerOne.
Processing priority: The team will maintain the original response speed and patch release process to ensure the project's security.
Node.js is not an isolated case. In January of this year, the well-known network tool cURL also had to terminate its bounty program due to being "bombarded" by AI-generated reports. This reflects the systemic challenges traditional open-source incentive mechanisms are facing after the proliferation of generative AI: how to filter out truly valuable professional feedback has become a pressing problem for the open-source community.