The Tyranny of Optimization and the Stability of Automated Governments - Katie Moussouris

Q: How is AI disrupting bug bounty programs?

Bug bounties are being flooded with AI-generated 'slop' -- hallucinated or duplicate reports submitted by inexperienced users using AI tools. The curl project shut down its bug bounty entirely due to the volume of low-quality AI submissions.

Katie Moussouris – 25 min, intermediate

How AI automation is disrupting bug bounties, the labor market, and society, with warnings against the unchecked concentration of power.

The Enshittification of Bug Bounties

Bug bounties were intended to democratize security, but they are currently overwhelmed by AI-generated “slop.” This flood of automated, often hallucinated reports is crushing maintainers, especially in open-source projects.

Bug bounty programs are flooded with known CVEs instead of novel vulnerabilities.
AI tools are generating hallucinated reports that inexperienced users submit as real bugs.
The curl project shut down its bug bounty program due to “death by a thousand slops.”
FFmpeg received valid but overwhelming AI-generated bugs from Google, highlighting that discovery outpaces patching capacity.

Organizations are opening a wider mouth to ingest things for which you have no intestines.

Death by a thousand slops.

AI’s Impact on the Gig Economy and Labor

The current AI revolution mirrors past industrial revolutions, but with faster displacement. Society is entering a K-shaped economy where wealth concentrates at the top while knowledge workers lose leverage.

40% of US GDP is reliant on just seven mega-corporations.
AI is replacing knowledge jobs faster than society can adapt or retrain workers.
Gig economy platforms inherently benefit from removing human workers to increase volume and revenue.
Autonomous AI systems (like Expo and Isle) are now capable of finding novel vulnerabilities without human intervention.

We are sitting here with front row seats to the biggest industrial revolution that the world has ever seen.

The gig economy has already eroded the leverage and the power of the human workers that helped build that platform in the first place.

Government Regulation and the Push for Dominance

The US government’s recent AI legislative framework prioritizes technological dominance over safety. Optimizing solely for dominance without societal safeguards is historically dangerous.

The US government recently dropped a framework telling states to stop regulating AI.
The legislative focus is heavily on “dominance” rather than safety or worker protections.
Trusting the tech industry to self-regulate is a flawed strategy, as seen with social media.

Societies that optimize for dominance don’t last forever.

They’re just saying, cut it out. Just let the industry figure it out, right? That worked out great for social media.

Technologies

Claude, Bugcrowd, HackerOne, Expo, Isle, OpenSSL, curl, Node.js, FFmpeg, Google Code Mender

Frequently Asked Questions

How is AI disrupting bug bounty programs?

Bug bounties are being flooded with AI-generated ‘slop’ – hallucinated or duplicate reports submitted by inexperienced users using AI tools. The curl project shut down its bug bounty entirely due to the volume of low-quality AI submissions.

What is the K-shaped economy in the context of AI?

The K-shaped economy describes how AI is concentrating wealth at the top (with 40% of US GDP reliant on just seven mega-corporations) while displacing knowledge workers faster than society can retrain them, widening inequality.

Why is AI self-regulation by the tech industry a problem?

The US government’s AI framework prioritizes technological dominance over safety and tells states to stop regulating AI. History shows that trusting industries to self-regulate, as with social media, leads to unchecked harms.

Back to BSidesSF 2026 – All Talks