Turso Shuts Down Bug Bounty Program After AI-Generated Spam Overwhelms Submissions

Turso, a database company, announced they are retiring their bug bounty program that paid $1,000 for any demonstrable data corruption bug. The decision stems from an overwhelming volume of AI-generated low-quality submissions that made the program unsustainable to operate.

AI-Generated Submissions Overwhelm Review Process

In their blog post titled "The Wonders of AI: We Are Retiring Our Bug Bounty Program," Turso explained the core issue: "An army of AI-generated low-quality submissions was released, making it too high a reward to just point an LLM at Turso and try to find a bug. When you instruct an LLM to go find a bug and collect a bounty, it will produce output whether or not it makes sense."

The company had implemented a requirement that submissions extend their simulator to demonstrate bugs, which helped maintain quality standards initially. However, this barrier proved insufficient as automated AI-generated reports flooded their review process, consuming significant time without providing substantive security research.

Legitimate Successes Before Program Closure

The program did achieve notable successes before being overwhelmed:

Alperen contributed as a core simulator contributor
Mikael used LLMs creatively to identify legitimate gaps in the system
Pavan Nambi discovered bugs in Turso and over ten bugs in SQLite itself

Industry-Wide Challenge for Security Programs

The announcement received 153 points and 90 comments on Hacker News, reflecting strong community interest in the issue. Turso's decision highlights a growing challenge across the technology industry: distinguishing genuine security research from automated AI-generated reports that lack substance but require substantial review resources.

Key Takeaways

Turso retired their $1,000 bug bounty program due to overwhelming AI-generated spam submissions
AI tools produced low-quality reports regardless of whether bugs actually existed
The program had legitimate successes, including Pavan Nambi finding over ten bugs in SQLite
The decision reflects a broader industry challenge of AI-generated content overwhelming security programs
Companies may need new approaches to maintain bug bounty programs in the age of automated AI submissions

AI-Generated Submissions Overwhelm Review Process

Industry-Wide Challenge for Security Programs

Key Takeaways

Turso retired their $1,000 bug bounty program due to overwhelming AI-generated spam submissions

AI tools produced low-quality reports regardless of whether bugs actually existed

The program had legitimate successes, including Pavan Nambi finding over ten bugs in SQLite

The decision reflects a broader industry challenge of AI-generated content overwhelming security programs

Companies may need new approaches to maintain bug bounty programs in the age of automated AI submissions