What Happened
In early 2025, HackerOne paused its bug bounty program due to an overwhelming increase in vulnerability discoveries, driven by AI-assisted research. This wasn't a breach or technical failure—it was a process collapse caused by the tools meant to enhance security.
Around the same time, OpenAI launched Daybreak, an AI-powered initiative with Codex Security to improve vulnerability detection and patch validation. Access to Daybreak is controlled; organizations must request scans rather than running them independently. Despite its limited rollout, the impact on vulnerability management workflows was significant enough to force HackerOne to pause.
Timeline
Pre-2025: HackerOne runs a standard bug bounty program with human-paced triage processes.
Early 2025: OpenAI announces Daybreak, marking a shift toward AI-driven vulnerability detection.
Early 2025: HackerOne pauses its bug bounty program, overwhelmed by AI-assisted vulnerability discoveries.
Ongoing: Security researcher Himanshu Anand states that "the 90-day disclosure policy is dead" due to compressed discovery and disclosure timelines.
Which Controls Failed or Were Missing
HackerOne's issue was organizational. Their triage process was designed for human-speed vulnerability discovery. Three control gaps were critical:
Intake capacity planning: No mechanism to throttle or prioritize reports based on AI-assisted volume. The assumption of stable report velocity was incorrect.
Severity triage automation: Manual reviews couldn't scale with increased report volume. Without automated triage, every AI-generated finding required human attention.
Disclosure timeline policies: The traditional 90-day window assumes researchers need time to identify, validate, and report findings. AI compresses this phase, turning the timeline into a bottleneck.
The underlying issue was triage fatigue. When your team receives 10 reports per week, thorough investigation is possible. At 100 reports per day, rapid decisions increase the risk of missing critical issues.
What the Relevant Standards Require
Major security standards didn't anticipate AI-generated vulnerability floods, but several requirements become critical:
ISO/IEC 27001:2022, Control 5.23: Requires processes for managing security information from external sources, including vulnerability reports. Processes must remain effective, which HackerOne's did not.
NIST Cybersecurity Framework v2.0, ID.RA-1: "Asset vulnerabilities are identified and documented." If identification outpaces documentation and remediation, you're not meeting this function's intent.
PCI DSS v4.0.1, Requirement 6.3.2: Organizations must maintain an inventory of software components and track known vulnerabilities. AI tools generating reports faster than validation creates an inventory gap.
SOC 2 Type II, CC7.2: Requires monitoring system components for anomalies. Effective monitoring requires triage, which breaks down when overwhelmed.
Standards don't require handling infinite reports but demand functional processes under actual conditions. HackerOne's pause admitted their processes had stopped functioning.
Lessons and Action Items for Your Team
If you're managing vulnerability intake—through bug bounty programs, automated scanning, or AI-assisted detection—here's what to do to avoid triage collapse:
1. Implement automated first-pass triage
Use tools to automatically categorize reports by severity, affected component, and exploitability. Human analysts should only see validated reports.
Action: Define triage criteria (CVSS thresholds, asset criticality, exploit availability) and automate sorting. Negotiate pre-filtering with AI tool vendors.
2. Establish intake rate limits
Create a policy for when report volume exceeds capacity. Options include:
- Throttling: Limit reports per day/week
- Prioritization: Fast-track production system reports, defer others
- Batching: Group similar findings for triage
Action: Calculate current triage capacity in reports-per-week. Set intake limit at 80% of capacity to maintain a buffer for high-severity findings.
3. Revise your disclosure timeline policy
The 90-day window is outdated. Consider:
- Severity-based timelines: Critical findings get 30 days, medium findings 60
- Continuous disclosure: Publish fixes upon validation
- Pre-validated findings: Shorten the window if proof-of-concept exploit code is included
Action: Document and communicate your new policy to researchers and stakeholders, including criteria for timeline adjustments.
4. Build triage capacity ahead of AI adoption
Expand your triage team before implementing AI-powered detection. For every AI tool promising to "10x discovery," plan to 3x triage capacity.
Action: Model expected report volume increase and staff accordingly before signing AI scanning contracts.
5. Create a circuit breaker
Define a threshold to temporarily halt intake and clear backlogs. This is operational discipline, not failure.
Action: Set a maximum backlog size (e.g., "no more than 50 unreviewed reports older than 7 days"). Pause intake when reaching this threshold until backlogs are managed. Document this as policy.
The HackerOne incident wasn't due to a sophisticated attacker or zero-day exploit. It was a mismatch between tooling capabilities and process capacity. Your vulnerability management program will face similar pressure. The question is whether you'll adapt your processes before they break or pause operations to fix them after.
