Bug bounty surge

Bug bounties are producing far more confirmed security flaws than companies are fixing, and the backlog hit a record in March 2026. (hackerone.com) HackerOne said submissions on its platform reached 46,947 in March 2026, up 76% from a year earlier. It said about 25% of those reports were still valid, exploitable vulnerabilities, so the number of real bugs rose with the overall volume. (hackerone.com) The mix is also getting more dangerous. HackerOne said critical and high-severity issues made up 32% of validated findings, up from a historical range of 26% to 28%, while remediation throughput improved only about 19% year over year. (hackerone.com) A bug bounty is a paid reporting system: outside researchers find a software flaw, send it to the vendor, and get paid if the report checks out. The pressure point is triage, because every report has to be verified, ranked, assigned, and patched before it stops being just another queue item. (hackerone.com) That queue is now being fed by artificial intelligence systems that read code the way spam filters read email, except they are looking for hidden breakpoints instead of junk messages. Anthropic said its Project Glasswing uses Claude Mythos Preview to help defenders find previously unknown flaws in critical software before similar models become broadly available. (anthropic.com) (red.anthropic.com) Anthropic said the model had already found thousands of high-severity vulnerabilities, including some in every major operating system and web browser, and it launched Glasswing with partners including Amazon Web Services, Apple, Google, JPMorganChase, Microsoft, Nvidia, Palo Alto Networks, Cisco, Broadcom, CrowdStrike, and the Linux Foundation. (anthropic.com) The company is not releasing that model broadly. Anthropic said it is limiting access to a small group of critical-industry partners and open-source developers so defenders can patch important systems first. (red.anthropic.com) Not everyone is accepting the scale claims at face value. CSO reported on April 16 that VulnCheck had identified one confirmed Common Vulnerabilities and Exposures entry tied directly to Project Glasswing so far, and said the harder question is how many findings turn into publicly documented bugs after vendors verify them. (csoonline.com) The immediate result is more work for security teams, not less. HackerOne’s March data showed a record inflow of reports, and Anthropic’s rollout channels more machine-found leads to the same defenders who already have to sort valid exploits from false alarms and then get fixes shipped. (hackerone.com) (anthropic.com) For companies running bug bounty programs, the story in April 2026 is no longer whether more bugs can be found. The story is whether engineering teams can close them fast enough before the pile gets bigger again next month. (hackerone.com)