A wave of retreat reveals the crack in the model
Within a few months, the bug bounty world has shifted under its own weight. curl, one of the most respected open‑source projects on the planet, is shutting its program down. The Internet Bug Bounty has paused new submissions. HackerOne, Bugcrowd and YesWeHack have rolled out increasingly aggressive AI triage layers, reputation penalties and “AI slop” filters – all aimed at the same enemy: noise.
Noise is the prime problem – low quality, AI generated submissions overwhelming the supply of real signal. But raw volume sits right behind it. Even if every report were valid, an uncontrolled inbound is more than any program can absorb. If you don’t control the input, you end up with more than you can handle. What was once a clever marketplace for talent has become a mailroom that programs can no longer keep up with.
The traditional model treats noise as something to filter, not prevent
Every response from the incumbents shares the same shape: better triage, smarter filters, stricter reputation systems – more humans or AI sitting at the end of the pipeline trying to separate signal from garbage after the fact. This is the logical endpoint of a manual, marketplace‑first approach. Platforms sell access to a crowd, the crowd produces submissions, and the customer sorts through the result. The architecture has no concept of context, no memory of what was already tested, no understanding of what a given customer needs to know. Noise gets generated by design and filtered as an afterthought – and even when filtering works, the volume problem remains.
Underneath sits a deeper problem: the commercial model rewards volume. When pricing is anchored to the number of vulnerabilities reported or paid out, the platform’s incentive runs against the customer’s. More findings mean more revenue, regardless of whether those findings change anything for the business. The system is wired to produce more reports, not better security. That worked, barely, until generative AI removed the cost of producing a plausible‑looking report. Now the model is breaking in real time.
Our approach starts one step earlier
The Cyber Resilience Shield was not built as a marketplace with filters bolted on. It was built around the full job a security testing programme has to do – scope, execute, report – and around the recognition that both noise and volume are scoping problems long before they are triage problems.
Scoping is data‑driven and AI‑powered: a structured corpus of real‑world testing history, combined with per‑tenant memory and AI‑guided matchmaking, tells the platform what has already been tested, what matters in a given business and regulatory context, and where the next test should focus. Execution is orchestrated, not crowdsourced into a void: vetted ethical hackers and offensive AI agents are matched to specific testing needs. Reporting is contextualised and validated against business impact, not handed off as a raw queue.
The consequence is structural. When you scope precisely, dispatch deliberately and validate against context, you control both the quality and the quantity of what comes back – you do not produce noise that needs to be filtered later, and you do not generate volume the receiving end cannot absorb. You produce findings that already mean something, in the amount the organisation can act on. And because we sell the outcome, security testing coverage, rather than the count of vulnerabilities, our incentives sit on the same side of the table as the customer’s.
Two different bets on where the value sits
The industry is now revealing which bet each player has placed. The platforms tightening their filters are betting that the marketplace model can be saved by smarter gatekeeping on top of an incentive structure that rewards volume. We are betting that the model itself is the problem – that as offensive AI gets cheaper, any approach which generates noise and filters it downstream, while being paid per finding, will keep losing ground to one that suppresses noise upstream and is paid for outcomes.
This is also why AI is a tailwind for us rather than a threat. Better models make the scoping smarter, the matchmaking sharper, the validation tighter. The same forces flooding traditional bounty programs with low‑quality submissions are strengthening an end‑to‑end, data‑driven platform.
Why this matters now
Regulation is moving in the same direction. DORA, NIS2, FINMA and the Cyber Resilience Act are all pushing organisations away from point‑in‑time testing and toward continuous, threat‑led, evidence‑producing security testing. Boards need visibility and clarity in their context, not inboxes full of technical submissions. The retreat from open bounty programs signals that the old format cannot meet that bar – and that the market is ready for an approach that delivers the outcome rather than just the tools to chase it.
The bug bounty industry is busy building better filters. We’ve built the enterprise operating system for security testing in the agentic world.
About Florian Badertscher
Badertscher is deeply embedded in the security community and a sought‑after speaker at industry events. He is a member of the Swiss Federal Council’s expert advisory board on digital identity. Following earlier roles at Compass Security and Swisscom, he brings extensive expertise in cyber defense, incident response, and penetration testing. He holds an Executive MBA in Innovation Management, a Bachelor’s degree in IT Security, and is a certified OSSTMM Security Tester.
