OPEN LINK ↗
// 75d agoNEWS
Node.js gates HackerOne reports to block AI slop
Node.js updated its HackerOne bug bounty program to require a Signal score of ≥1.0, blocking researchers without a valid track record from submitting directly after 30+ low-quality AI-generated reports flooded the team in a single holiday month. Researchers below the threshold must now contact security stewards via OpenJS Foundation Slack instead.
// ANALYSIS
AI-generated bug report spam is quietly breaking open-source security pipelines — and Node.js's Signal gate is the pragmatic middle ground between doing nothing and cURL's nuclear option of quitting HackerOne entirely.
- –HackerOne Signal (scale -10 to +7) is a rolling 365-day average of report quality; requiring 1.0 is a low bar that only filters researchers with zero valid history — a fair proxy for AI-assisted spam accounts
- –cURL's maintainer Daniel Stenberg coined "AI slop bug reports" and pulled the project from HackerOne entirely after 3 decades and $100K+ in bounties; Node.js chose a softer gate instead
- –The escape hatch matters: low-signal researchers can still report via OpenJS Slack, preserving legitimate new researcher access while adding friction for automated fire-and-forget submissions
- –As AI tooling makes plausible-sounding vuln reports trivially easy to generate at scale, expect every major open-source bug bounty program to implement some form of reputation gating in 2026
// TAGS
node-jssecurityopen-sourcedevtool
DISCOVERED
75d ago
2026-03-14
PUBLISHED
75d ago
2026-03-14
RELEVANCE
6/ 10
AUTHOR
Theo - t3․gg
