TNS
SUBSCRIBE
Join our community of software engineering leaders and aspirational developers. Always stay in-the-know by getting the most important news and exclusive content delivered fresh to your inbox to learn more about at-scale software development.
REQUIRED
 
It seems that you've previously unsubscribed from our newsletter in the past. Click the button below to open the re-subscribe form in a new tab. When you're done, simply close that tab and continue with this form to complete your subscription.
Welcome and thank you for joining The New Stack community!
Please answer a few simple questions to help us deliver the news and resources you are interested in.
REQUIRED
REQUIRED
REQUIRED
REQUIRED
REQUIRED
Great to meet you!
Tell us a bit about your job so we can cover the topics you find most relevant.
REQUIRED
REQUIRED
REQUIRED
REQUIRED
REQUIRED
 
Welcome!

We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.

What’s next?

Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.

Become a TNS follower on LinkedIn.

Check out the latest featured and trending stories while you wait for your first TNS newsletter.

PREV
of
NEXT
VOXPOP
As a JavaScript developer, what non-React tools do you use most often?
Angular
0%
Astro
0%
Svelte
0%
Vue.js
0%
Other
0%
I only use React
0%
I don't use JavaScript
0%
 
NEW! Try Stackie AI
Cloud Native Ecosystem Containers Databases Edge Computing Infrastructure as Code Linux Microservices Open Source Networking Storage
Cloud native application challenges: installing the walking skeleton
May 13th 2026 9:00am, by Manning Book Authors
Why agent harnesses fail inside cloud-native systems
May 13th 2026 9:00am, by Arjun Iyer
Why Prometheus couldn't see Cilium metrics at 2 a.m.
May 10th 2026 10:00am, by Rishi Mondal
How Microsoft is governing thousands of Kubernetes clusters without manual intervention
May 7th 2026 6:07pm, by Adrian Bridgwater
Kubernetes finally lands user namespace support, but shared kernel problem remains
May 6th 2026 10:50am, by Kaylin Trychon
Microsoft wants to make service mesh invisible
Apr 8th 2026 1:11pm, by Frederic Lardinois
Edera spent years calling KVM less secure. Here's why it changed its mind.
Mar 25th 2026 2:22pm, by Steven J. Vaughan-Nichols
Minimus aims to solve one of open-source's long-festering problems
Mar 24th 2026 3:00am, by Adrian Bridgwater
How to deploy Pi-Hole with Docker and stop ads on every device on your LAN
Mar 23rd 2026 7:44am, by Jack Wallen
Chainguard has a fix for the open source packages your AI agents keep grabbing
Mar 18th 2026 9:24am, by Darryl K. Taft
Fivetran's CPO: Closed data stacks won't survive the agent era
May 13th 2026 6:15pm, by Matthew Burns
Why your AI agent doesn't actually remember anything
May 11th 2026 10:00am, by Ed Huang
ScyllaDB cut Sprig's read latency 4X after Redis and ClickHouse hit a wall
May 5th 2026 7:00am, by Cynthia Dunlop
Why developers are betting on Postgres for AI
Apr 27th 2026 10:00am, by Meredith Shubel
Vectors gave us AI search, tensors are going to make it smarter
Apr 24th 2026 9:42am, by Alex Wilhelm
Edge-forward: Akamai eyes sweet spot between centralized & decentralized AI inference
Apr 1st 2026 7:00am, by Adrian Bridgwater
Developers are coding to a moving target, and nobody knows where AI lands next
Mar 3rd 2026 7:33am, by Adrian Bridgwater
Cloudflare’s new Markdown support shows how the web is evolving for AI agents
Mar 2nd 2026 4:30am, by David Eastman
React Server Components Vulnerability Found
Dec 6th 2025 7:00am, by Loraine Lawson
Kubernetes at the Edge: Lessons From GE HealthCare’s Edge Strategy
Nov 24th 2025 10:00am, by Vicki Walker
Why Terraform is green when your cloud is broken
Apr 28th 2026 9:00am, by Joe Karlsson
The one Slack message that proved our elite engineering team was flying blind
Apr 26th 2026 11:00am, by Joe Karlsson
The operational gap is real, and it's getting wider
Mar 26th 2026 8:00am, by Yevgeny Pats
Why "automated" infrastructure might cost more than you think
Feb 24th 2026 4:00am, by Justyn Roberts
Why 40% of AI projects will be canceled by 2027 (and how to stay in the other 60%)
Feb 13th 2026 6:00am, by Alex Drag
Sparky Linux 9 brings a rolling release to Debian
Mar 30th 2026 8:00am, by Jack Wallen
Edera spent years calling KVM less secure. Here's why it changed its mind.
Mar 25th 2026 2:22pm, by Steven J. Vaughan-Nichols
Your Kubernetes isn't ready for AI workloads, and drift is the reason
Mar 25th 2026 8:43am, by TNS Staff
Linux kernel scale is swamping an already-flawed CVE system
Mar 20th 2026 4:30am, by Jed Salazar
Scaling Btrfs to petabytes in production: a 74% cost reduction story
Mar 18th 2026 5:00am, by Motiejus Jakštys
Tetrate launches open source marketplace to simplify Envoy adoption
Mar 11th 2026 10:52am, by Adrian Bridgwater
OpenTelemetry roadmap: Sampling rates and collector improvements ahead
Feb 24th 2026 11:00am, by B. Cameron Gain
Merging To Test Is Killing Your Microservices Velocity
Dec 16th 2025 7:00am, by Arjun Iyer
IBM’s Confluent Acquisition Is About Event-Driven AI
Dec 11th 2025 6:00am, by Joab Jackson
Deploy Agentic AI Workflows With Kubernetes and Terraform
Nov 26th 2025 9:00am, by Oladimeji Sowole
Why Block handed Goose to the Linux Foundation
May 15th 2026 6:37pm, by Alex Wilhelm
Temporal hits 3,000 paying customers with its crash-proof workflow engine
May 13th 2026 9:48am, by Chris J. Preimesberger
Jensen Huang and Bill McDermott bet on OpenShell to secure enterprise AI agents
May 12th 2026 4:08pm, by Darryl K. Taft
Why 157,000 developers are hedging against Anthropic with OpenCode
May 10th 2026 12:36pm, by Janakiram MSV
With the launch of Meko, Yugabyte targets the data layer that's breaking multi-agent AI systems
May 7th 2026 9:30am, by Carly Page
From system of record to system of control: How NetBox Labs is making network engineers “masters of intent.”
Apr 28th 2026 11:00am, by Doug Sillars
Beyond the VPN: Cloudflare Mesh builds a private network for the age of AI agents
Apr 14th 2026 11:04am, by Adrian Bridgwater
Model Flop Utilization is the metric Aria Networks says will define the AI infrastructure era
Apr 7th 2026 9:00am, by Adrian Bridgwater
How to deploy Pi-Hole with Docker and stop ads on every device on your LAN
Mar 23rd 2026 7:44am, by Jack Wallen
Why flat Kubernetes networks fail at scale
Mar 20th 2026 7:00am, by Reza Ramezanpour
Why Postgres wants NVMe on the hot path, and S3 everywhere else
Apr 17th 2026 9:00am, by Alasdair Brown
Scaling Btrfs to petabytes in production: a 74% cost reduction story
Mar 18th 2026 5:00am, by Motiejus Jakštys
What is KubeVirt and why it’s growing
Mar 17th 2026 9:00am, by Tiago Castro
S3 is the new network: Rethinking data architecture for the cloud era
Feb 2nd 2026 4:00am, by Max Liu
Agoda’s secret to 50x scale: Getting the database basics right
Jan 28th 2026 7:00am, by Cynthia Dunlop
AI AI Engineering API Management Backend development Data Frontend Development Large Language Models Security Software Development WebAssembly
GitHub will start paying some bug bounty hunters in swag instead of cash
May 18th 2026 3:01pm, by
AI security readiness is now the No. 1 obstacle to adoption, Linux Foundation finds
May 18th 2026 2:55pm, by
OpenAI brings Codex to the ChatGPT mobile app
May 14th 2026 4:13pm, by
Cloud code: Conductor joins the rush toward remote coding agents
May 14th 2026 1:24pm, by
GitLab is betting a 19th-century economic theory will shape its AI era
May 14th 2026 1:21pm, by
The clean-up cost of AI-generated code is what the velocity narrative leaves out
May 16th 2026 9:00am, by
AWS found bugs in 60% of software requirements. Its fix isn't more AI — it's a 50-year-old logic engine.
May 15th 2026 12:26pm, by
OpenAI brings Codex to the ChatGPT mobile app
May 14th 2026 4:13pm, by
The Rust sidecar pattern that fixes Python AI's biggest weakness
May 14th 2026 9:00am, by
Anthropic's Claude Code agent view is a better dashboard. So why aren't developers convinced?
May 13th 2026 11:13am, by
The API portal is the clearest signal of whether your company can handle AI agents
May 12th 2026 1:23pm, by
AI teams are spending months on web scrapers that SerpApi replaces with one API call
May 12th 2026 10:00am, by
Why JSON Schema matters more than ever in the age of generative AI
Apr 28th 2026 1:00pm, by
SmartBear's Swagger update targets the API drift problem AI coding tools created
Apr 19th 2026 10:00am, by
MCP is everywhere, but don't panic. Here's why your existing APIs still matter.
Mar 23rd 2026 5:00am, by and
Why PHP performance keeps getting bumped from the roadmap
May 6th 2026 10:00am, by
Why Postgres wants NVMe on the hot path, and S3 everywhere else
Apr 17th 2026 9:00am, by
Expo bets big on React Native’s agentic future
Apr 16th 2026 11:37am, by
From clobbered drafts to real-time sync
Apr 14th 2026 10:00am, by
Moving beyond the “magic scaling sauce” myth
Apr 2nd 2026 9:30am, by
Fivetran's CPO: Closed data stacks won't survive the agent era
May 13th 2026 6:15pm, by
MinIO's MemKV promises 95% better GPU utilization by ending AI recompute tax
May 13th 2026 4:27pm, by
ScyllaDB cut Sprig's read latency 4X after Redis and ClickHouse hit a wall
May 5th 2026 7:00am, by
How to find and unlock the data hidden within videos
Apr 26th 2026 10:00am, by
Vectors gave us AI search, tensors are going to make it smarter
Apr 24th 2026 9:42am, by
Expo bets big on React Native’s agentic future
Apr 16th 2026 11:37am, by
Digital Experience Monitoring belongs in the modern developer workflow
Apr 3rd 2026 10:00am, by
WebMCP turns any Chrome web page into an MCP server for AI agents
Mar 17th 2026 11:50am, by
Confluent adds A2A support, anomaly detection, and Queues for Kafka in major platform update
Mar 3rd 2026 10:21am, by
Google's Chrome browser moves to a two-week release cycle
Mar 3rd 2026 9:00am, by
I tested OpenAI's three claims about GPT-5.5 Instant, and only one fully held up
May 13th 2026 10:50am, by
Anthropic trains Claude to resist blackmail & self-preservation behavior via agentic misalignment
May 11th 2026 1:26pm, by
Anthropic will let its managed agents dream
May 6th 2026 12:15pm, by
The company that made RAG mainstream is now betting against it
May 6th 2026 10:40am, by
How NetEase Games cut LLM cold starts from 42 minutes to 30 seconds
May 6th 2026 9:00am, by and
GitHub will start paying some bug bounty hunters in swag instead of cash
May 18th 2026 3:01pm, by
AI security readiness is now the No. 1 obstacle to adoption, Linux Foundation finds
May 18th 2026 2:55pm, by
The clean-up cost of AI-generated code is what the velocity narrative leaves out
May 16th 2026 9:00am, by
Why AI is failing in the security operations center 
May 15th 2026 11:57am, by
OpenAI's Daybreak and Anthropic's Glasswing have nearly identical benchmarks — and 3 of the same partners
May 13th 2026 11:04am, by
The clean-up cost of AI-generated code is what the velocity narrative leaves out
May 16th 2026 9:00am, by
Temporal hits 3,000 paying customers with its crash-proof workflow engine
May 13th 2026 9:48am, by
AI is creating a generation of developers who can't debug their own code
May 12th 2026 12:16pm, by
OpenAI Codex arrives in the browser with new Chrome extension
May 8th 2026 2:03pm, by
Why PHP performance keeps getting bumped from the roadmap
May 6th 2026 10:00am, by
Edge-forward: Akamai eyes sweet spot between centralized & decentralized AI inference
Apr 1st 2026 7:00am, by
WebAssembly is now outperforming containers at the edge
Mar 29th 2026 9:00am, by
WebAssembly could solve AI agents' most dangerous security gap
Mar 24th 2026 9:01am, by
How WebAssembly plugins simplify Kubernetes extensibility
Mar 3rd 2026 2:00pm, by
WebAssembly is everywhere. Here's how it works
Feb 25th 2026 11:00am, by
AI Operations CI/CD Cloud Services DevOps Kubernetes Observability Operations Platform Engineering
The software fix that could shrink AI's energy bill without new hardware
May 15th 2026 12:00pm, by Warren Vella
AI is creating a generation of developers who can't debug their own code
May 12th 2026 12:16pm, by Charlotte Fleming
Red Hat is betting on AgentOps to close the gap between AI experiments and production
May 12th 2026 11:23am, by Steven J. Vaughan-Nichols
SAP launches AI Agent Hub at Sapphire 2026 to tame vendor agent sprawl
May 12th 2026 8:30am, by Frederic Lardinois
How AI-native systems are built
May 11th 2026 11:00am, by Boris Chabeda
As agentic dev tools boom, workflow auditability becomes the constraint
May 12th 2026 8:00am, by Brian Wald
The agent code explosion is here. We need to rethink our pipelines, fast.
May 4th 2026 10:00am, by Arjun Iyer
Is your internal platform ready to keep up with AI-accelerated development?
Apr 16th 2026 6:07am, by TNS Staff
Claude Code can now do your job overnight
Apr 14th 2026 2:56pm, by Frederic Lardinois
The TeamPCP attacks are a warning: Your CI/CD pipeline is the new front line
Apr 2nd 2026 12:00pm, by Dan Lorenc
AI agents need to spend money — Stripe and iWallet are building the rails
May 5th 2026 7:43am, by John Biggs
AWS lands OpenAI on Bedrock, but Trainium is the real story
Apr 29th 2026 10:54am, by Janakiram MSV
Why Terraform is green when your cloud is broken
Apr 28th 2026 9:00am, by Joe Karlsson
Microsoft-OpenAI rewrite opens the door for Anthropic and Google
Apr 27th 2026 6:25pm, by Adrian Bridgwater
The one Slack message that proved our elite engineering team was flying blind
Apr 26th 2026 11:00am, by Joe Karlsson
Elastic architects reveal how to query observability data in plain English
May 7th 2026 12:27pm, by Alex Wilhelm
Why Terraform is green when your cloud is broken
Apr 28th 2026 9:00am, by Joe Karlsson
3 steps to escaping the “break-fix” trap
Apr 17th 2026 10:00am, by Cristina Dias
Is your internal platform ready to keep up with AI-accelerated development?
Apr 16th 2026 6:07am, by TNS Staff
Why data governance is the secret to AI agent success
Apr 10th 2026 11:00am, by Rod Cope
Cloud native application challenges: installing the walking skeleton
May 13th 2026 9:00am, by Manning Book Authors
Why Prometheus couldn't see Cilium metrics at 2 a.m.
May 10th 2026 10:00am, by Rishi Mondal
How Microsoft is governing thousands of Kubernetes clusters without manual intervention
May 7th 2026 6:07pm, by Adrian Bridgwater
Kubernetes finally lands user namespace support, but shared kernel problem remains
May 6th 2026 10:50am, by Kaylin Trychon
How NetEase Games cut LLM cold starts from 42 minutes to 30 seconds
May 6th 2026 9:00am, by Haifeng Liao and Xiang Zhang
Elastic architects reveal how to query observability data in plain English
May 7th 2026 12:27pm, by Alex Wilhelm
Why PHP performance keeps getting bumped from the roadmap
May 6th 2026 10:00am, by Matthew Weier O’Phinney
Arize AI and Google Cloud lay down standardized telemetry mandate to keep enterprise agents in check
May 4th 2026 11:00am, by Adrian Bridgwater
Sentry’s Seer Agent lets developers debug production issues in natural language
Apr 28th 2026 12:01pm, by Frederic Lardinois
The one Slack message that proved our elite engineering team was flying blind
Apr 26th 2026 11:00am, by Joe Karlsson
OpenAI brings Codex to the ChatGPT mobile app
May 14th 2026 4:13pm, by Frederic Lardinois
GitLab is betting a 19th-century economic theory will shape its AI era
May 14th 2026 1:21pm, by Paul Sawers
The new FinOps problem isn't cloud bills
May 12th 2026 7:24pm, by Frederic Lardinois
GitHub builds an immune system for AI coding agents running on MCP
May 7th 2026 11:04am, by Paul Sawers
Fresh data has us asking, does AI demand Kubernetes?
May 1st 2026 4:18pm, by Jennifer Riggins
Cloud native application challenges: installing the walking skeleton
May 13th 2026 9:00am, by Manning Book Authors
How to build a skills library for your engineering team
May 13th 2026 9:00am, by Zohar Einy
Why Prometheus couldn't see Cilium metrics at 2 a.m.
May 10th 2026 10:00am, by Rishi Mondal
Tanzu Platform's 15-year head start meets the AI moment
May 9th 2026 11:00am, by Cora Iberkleid
How Microsoft is governing thousands of Kubernetes clusters without manual intervention
May 7th 2026 6:07pm, by Adrian Bridgwater
C++ Developer tools Go Java JavaScript Programming Languages Python Rust TypeScript
Open source USearch library jumpstarts ScyllaDB vector search
Feb 5th 2026 12:00pm, by Jelani Harper
AWS WAF vs. Google Cloud Armor: A Multicloud Security Showdown
Nov 25th 2025 10:00am, by Advait Patel
Goodbye Dashboards: Agents Deliver Answers, Not Just Reports
Nov 23rd 2025 9:00am, by Ketan Karkhanis
Rust vs. C++: a Modern Take on Performance and Safety
Oct 22nd 2025 2:00pm, by Zziwa Raymond Ian
Building a Real-Time System Monitor in Rust Terminal
Oct 15th 2025 7:05am, by Tinega Onchari
Anthropic splits billing again: Agent SDK gets separate credit pools
May 14th 2026 1:19pm, by Meredith Shubel
Anthropic's Claude Code agent view is a better dashboard. So why aren't developers convinced?
May 13th 2026 11:13am, by Meredith Shubel
How to build a skills library for your engineering team
May 13th 2026 9:00am, by Zohar Einy
AI teams are spending months on web scrapers that SerpApi replaces with one API call
May 12th 2026 10:00am, by Carly Page
Why 157,000 developers are hedging against Anthropic with OpenCode
May 10th 2026 12:36pm, by Janakiram MSV
Go Experts: 'I Don't Want to Maintain AI-Generated Code'
Sep 28th 2025 6:00am, by David Cassel
How To Run Kubernetes Commands in Go: Steps and Best Practices 
Jun 27th 2025 8:00am, by Sunny Yadav
Prepare Your Mac for Go Development
Apr 12th 2025 7:00am, by Damon M. Garn
Pagoda: A Web Development Starter Kit for Go Programmers
Mar 19th 2025 6:10am, by Loraine Lawson
Microsoft TypeScript Devs Explain Why They Chose Go Over Rust, C#
Mar 18th 2025 7:00am, by David Cassel
In the AI age, Java is more relevant than ever
Apr 8th 2026 5:30pm, by Mary Branscombe
Java 26 lands without an LTS badge. Here's why developers should care anyway.
Mar 18th 2026 9:35am, by Darryl K. Taft
62% of enterprises now use Java to power AI apps
Feb 10th 2026 12:58pm, by Darryl K. Taft
BellSoft bets Java expertise can beat hardened container wave
Jan 26th 2026 3:00pm, by Darryl K. Taft
Java Developers Get Multiple Paths To Building AI Agents
Dec 26th 2025 7:02am, by Darryl K. Taft
"Real maturity problems": Not every developer is thrilled with Bun after Anthropic acquisition
May 5th 2026 1:03pm, by Adrian Bridgwater
TypeScript 6.0 RC arrives as a bridge to a faster future
Mar 14th 2026 9:00am, by Darryl K. Taft
WebAssembly is everywhere. Here's how it works
Feb 25th 2026 11:00am, by Jessica Wachtel
Wasm vs. JavaScript: Who wins at a million rows?
Feb 22nd 2026 6:00am, by Jessica Wachtel
Arcjet reaches v1.0, promises stable security for JavaScript apps
Feb 14th 2026 7:00am, by Darryl K. Taft
Who will maintain the web when PHP's veterans retire?
Apr 16th 2026 2:53pm, by Darryl K. Taft
Will AI force code to evolve or make it extinct?
Mar 22nd 2026 6:00am, by David Cassel
Java 26 lands without an LTS badge. Here's why developers should care anyway.
Mar 18th 2026 9:35am, by Darryl K. Taft
TypeScript 6.0 RC arrives as a bridge to a faster future
Mar 14th 2026 9:00am, by Darryl K. Taft
Nearly half of all companies now use Rust in production, survey finds
Mar 6th 2026 10:45am, by Darryl K. Taft
How to build an AI-powered private document search app with RAG, ChromaDB, and memory
Apr 10th 2026 12:00pm, by Teri Eyenike
In the AI age, Java is more relevant than ever
Apr 8th 2026 5:30pm, by Mary Branscombe
OpenAI acquires Astral to bring open source Python developer tools to Codex — but details are still fuzzy
Mar 20th 2026 7:33am, by Meredith Shubel
Python virtual environments: isolation without the chaos
Feb 16th 2026 7:00am, by Jessica Wachtel
Statistical language R is making a comeback against Python
Feb 12th 2026 2:57pm, by Darryl K. Taft
The Rust sidecar pattern that fixes Python AI's biggest weakness
May 14th 2026 9:00am, by Boris Chabeda
Nearly half of all companies now use Rust in production, survey finds
Mar 6th 2026 10:45am, by Darryl K. Taft
Wasm vs. JavaScript: Who wins at a million rows?
Feb 22nd 2026 6:00am, by Jessica Wachtel
Open source USearch library jumpstarts ScyllaDB vector search
Feb 5th 2026 12:00pm, by Jelani Harper
The 'weird' things that happened when Clickhouse replaced C++ with Rust
Feb 4th 2026 7:26am, by B. Cameron Gain
From clobbered drafts to real-time sync
Apr 14th 2026 10:00am, by David Moore
TypeScript 6.0 RC arrives as a bridge to a faster future
Mar 14th 2026 9:00am, by Darryl K. Taft
Mastra empowers web devs to build AI agents in TypeScript
Jan 28th 2026 11:00am, by Loraine Lawson
Inferno Vet Creates Frontend Framework Built With AI in Mind
Dec 10th 2025 11:00am, by Loraine Lawson
JavaScript Utility Library Lodash Changing Governance Model
Nov 1st 2025 7:00am, by Loraine Lawson
AI / AI Agents / Security

GitHub will start paying some bug bounty hunters in swag instead of cash

GitHub is tightening its bug bounty program standards as AI-assisted vulnerability reports overwhelm security teams with low-quality submissions.
May 18th, 2026 3:01pm by
Featued image for: GitHub will start paying some bug bounty hunters in swag instead of cash
Rizki Kurniawan for Unsplash+

Bug bounties have served as one of cybersecurity’s core pressure valves for decades, giving independent researchers a structured way to disclose vulnerabilities before attackers can exploit them. But a deluge of AI-assisted reports is upending parts of that system.

GitHub announced last week that it’s tightening standards across its bug bounty program as submission volumes rise sharply alongside the growing use of AI tools in security research.

In a blog post, Jarom Brown, senior product security engineer for GitHub’s bug bounty program, said the company was seeing a growing number of submissions that lacked proof-of-concept validation, demonstrated impact, or clear evidence that an exploitable security boundary had actually been crossed.

“Programs across the industry are grappling with the same challenge, and some have shut down entirely,” Brown writes.

The AI slop deluge

GitHub stressed that it was not opposed to researchers using AI. In fact, the company said it expected AI to become increasingly central to modern security research workflows. The problem, according to GitHub, is the growing volume of speculative or poorly validated reports generated with AI assistance.

“The tools don’t matter. The quality of the work does.”

“The tools don’t matter,” Brown continues. “The quality of the work does.”

The news comes a week after Anthropic launched its first public HackerOne bug bounty program, opening its security reporting pipeline to external researchers after previously relying on more tightly controlled safety-testing efforts.

That launch itself came only weeks after Anthropic unveiled Claude Mythos and Project Glasswing, a restricted-access cybersecurity initiative centered around a more advanced frontier model the company claims can identify and chain together software vulnerabilities more effectively than its current public systems.

Anthropic positioned Mythos as part of a broader effort to strengthen defensive cybersecurity capabilities before more powerful offensive AI tooling becomes widespread. Yet the company’s simultaneous expansion into a conventional human-led bug bounty program also highlighted a growing tension inside the AI security industry: even as companies market capable autonomous cyber systems, there’s still a clear reliance on human researchers to identify, validate and reproduce real-world vulnerabilities.

Proof-of-concept now required

Under the updated standards, GitHub says researchers will now face stricter requirements around working proof-of-concept demonstrations, demonstrated security impact, validation of scanner or AI-generated findings, and adherence to GitHub’s published list of ineligible vulnerabilities.

Reports that identify low-risk hardening opportunities or documentation gaps may also no longer qualify for cash rewards. Instead, GitHub says some lower-severity findings that still result in fixes will receive company swag rather than bounty payouts.

The company also urged researchers to make submissions shorter and easier to verify, arguing that overly elaborate reports were making it harder for security teams to identify genuinely exploitable findings. And yes, part of the problem again is down to AI.

“The clearer and more direct your report, the faster we can act on it.”

“Verbose reports such as multi-page theoretical narratives, restated background context, or AI-generated filler slow down triage because the actual finding gets buried,” Brown writes. “The clearer and more direct your report, the faster we can act on it.”

cURL’s earlier warning

GitHub’s comments follow growing frustration across parts of the open source security community over what has come to be known as “AI slop” bug reports. In January, Daniel Stenberg, founder and lead developer of the open source data transfer tool cURL, said the project would shut down its bug bounty program after maintainers became overwhelmed by low-quality AI-assisted submissions.

“We are effectively being DDoSed,” Stenberg wrote at the time. “If we could, we would charge them for this waste of our time. We still have not seen a single valid security report done with AI help.”

Stenberg later clarified that he was not opposed to AI-assisted security research itself, pointing to examples where researchers had successfully used AI tooling to uncover legitimate bugs and code issues. His criticism focused on poorly validated submissions generated in pursuit of bug bounty payouts.

And this aligns with GitHub’s position. The company emphasizes that AI-assisted findings remain welcome — provided researchers validate them properly before submission.

“The human researcher is accountable for the accuracy of the submission.”

“The human researcher is accountable for the accuracy of the submission,” Brown writes.

Where GitHub draws the line

GitHub’s post devoted significant attention to what it described as misunderstandings around the platform’s security boundaries, particularly involving AI tools, malicious repositories and prompt injection attacks.

The company argues that many reports involving harmful AI outputs or malicious repositories often fall under what it calls a “shared responsibility model.” GitHub says users remain responsible for deciding which repositories, scripts, workflows and AI-generated outputs they trust or execute.

“When an ‘attack’ requires the victim to actively seek out and engage with attacker-controlled content,” Brown writes, “the security boundary is the user’s decision to trust that content.”

GitHub points to several examples of what it generally doesn’t consider to be bounty-eligible vulnerabilities, including prompt injection attacks involving content deliberately fed into AI systems, malicious Git hooks inside cloned repositories, and AI tools producing dangerous outputs after processing untrusted inputs.

Shared responsibility examples
Shared responsibility examples

The distinction is important because prompt injection attacks and malicious AI-generated code have become central concerns as AI coding agents grow more autonomous and more deeply integrated into software development environments.

For GitHub, the line appears to be whether an attacker bypassed an actual GitHub-controlled security boundary — or simply convinced a user to trust hostile content.

TRENDING STORIES
Group Created with Sketch.
Paul is an experienced technology journalist covering some of the biggest stories from Europe and beyond, most recently at TechCrunch where he covered startups, enterprise, Big Tech, infrastructure, open source, AI, regulation, and more. Based in London, these days Paul...
Read more from Paul Sawers
SHARE THIS STORY
TRENDING STORIES
TNS owner Insight Partners is an investor in: Anthropic.
TRENDING STORIES
TNS DAILY NEWSLETTER Receive a free roundup of the most recent TNS articles in your inbox each day.