AI Security Intelligence
Published benchmark scores from peer-reviewed research — 56 results across 3 categories. Plus 31 active bug bounty programs.
Model Security Leaderboard
SWE-bench Verified score — the industry standard for autonomous code repair. Models are given real GitHub issues with failing tests; score = % resolved with no human help.
DARPA AI Cyber Challenge (AIxCC)
Official site ↗The most credible real-world AI security competition. Autonomous Cyber Reasoning Systems (CRS) analyze millions of lines of code to find and patch vulnerabilities — with no human intervention.
Notable AI Security Discoveries
All security news →Anthropic's Fable cybersecurity model blocks routine security work, researchers say
Anthropic
Anthropic released Fable, a public version of its cybersecurity model Mythos, but security researchers report the model's guardrails are blocking routine tasks. The model flags requests as cybersecurity-related even for reading blog posts or requesting code reviews, downgrading to Claude Opus 4.8 when triggered.
Anthropic releases Claude Fable 5, a 'Mythos-class' model with safeguards for public use
Anthropic
Anthropic has released Claude Fable 5, described as a 'Mythos-class' model that the company claims is safe for general use. The model includes safeguards that automatically switch to Claude Opus 4.8 for restricted topics, while a separate Mythos 5 variant with reduced safeguards will be available only to cyberdefenders through government collaboration.
Anthropic releases Claude Fable 5 with Mythos-class capabilities at $10/$50 per million tokens
Anthropic
Anthropic released Claude Fable 5, a Mythos-class model, to enterprise customers and paid subscribers two months after limiting its advanced Mythos model to select users. The new model costs $10 per million input tokens and $50 per million output tokens—twice the price of Claude Opus 4.8—and includes safeguards that block responses in high-risk areas like cybersecurity and biology.
Active Bug Bounty Programs
| Program | Organization | Platform | AI Policy | Max Payout | Scope |
|---|---|---|---|---|---|
| Immunefi | Immunefi (platform) | Immunefi | AI Encouraged | $10M | DeFi protocols, smart contracts, Web3 bridges, DAO treasuries |
| HackerOne Programs | HackerOne (platform) | HackerOne | Case by Case | $1M | 1,000+ programs across tech, finance, government, healthcare |
| Apple Security Bounty | Apple | Direct | Not Specified | $1M | iCloud, iOS, macOS, Safari, Apple silicon firmware |
| Bugcrowd Programs | Bugcrowd (platform) | Bugcrowd | Case by Case | $500K | 1,000+ programs — tech, finance, automotive, healthcare |
| Meta Bug Bounty | Meta | HackerOne | AI Allowed | $300K | Facebook, Instagram, WhatsApp, Threads, Messenger, Meta Quest |
| Binance Bug Bounty | Binance | HackerOne | AI Allowed | $250K | Binance.com, mobile apps, exchange API, Binance Smart Chain, Binance Pay |
| Microsoft Bug Bounty | Microsoft | Direct | AI Allowed | $250K | Azure, Microsoft 365, Windows, Xbox, Edge, Bing |
| Google DeepMind AI Safety | Google DeepMind | Direct | AI Encouraged | $250K | Gemini models, Google AI APIs, Vertex AI, AI Studio |
| Coinbase Bug Bounty | Coinbase | HackerOne | AI Allowed | $250K | Coinbase.com, Coinbase Pro, Coinbase Wallet, exchange APIs |
| Vulnerability Reward Program | Direct | AI Allowed | $250K | Google Search, Google Cloud, Android, Chrome, YouTube, Gmail | |
| Ethereum Foundation Bug Bounty | Ethereum Foundation | Direct | AI Encouraged | $250K | Ethereum protocol, EVM, consensus clients (Prysm, Lighthouse, Teku, Nimbus), execution clients (Geth, Nethermind, Besu) |
| Samsung Mobile Security Rewards | Samsung | Direct | AI Allowed | $200K | Samsung Galaxy devices, Knox, One UI, Samsung Health, Samsung Pay, Bixby |
| Kraken Bug Bounty | Kraken | Bugcrowd | AI Allowed | $100K | Kraken.com, Pro Trading, mobile apps, exchange API, Kraken NFT |
| GitHub Security Bug Bounty | GitHub (Microsoft) | HackerOne | AI Allowed | $100K | GitHub.com, Actions, Packages, Codespaces, Copilot |
| OpenAI Bug Bounty | OpenAI | Bugcrowd | Case by Case | $100K | ChatGPT, API (GPT-4o, o3, o4), DALL-E, Sora, OpenAI.com |
| Stripe Bug Bounty | Stripe | HackerOne | AI Allowed | $50K | Stripe.com, Dashboard, API, Connect, Terminal, Stripe.js, mobile SDKs |
| Shopify Bug Bounty | Shopify | HackerOne | AI Allowed | $50K | Shopify.com, Admin, Partner API, Storefront API, POS |
| xAI Bug Bounty | xAI | Bugcrowd | Case by Case | $50K | Grok models, grok.com, xAI API, X AI integrations |
| Anthropic Bug Bounty | Anthropic | HackerOne | Case by Case | $50K | Claude.ai, Anthropic API, Claude models |
| Snap Bug Bounty | Snap Inc. | HackerOne | AI Allowed | $35K | Snapchat, Snap Map, Spotlight, Lens Studio, Snap Kit, Bitmoji |
| PayPal Bug Bounty | PayPal | HackerOne | AI Allowed | $30K | PayPal.com, Venmo, Braintree, PayPal Checkout APIs |
| Hack the Pentagon | US Department of Defense | HackerOne | Case by Case | $25K | DoD public-facing websites, military branches, DISA systems |
| Mistral AI Bug Bounty | Mistral AI | Direct | AI Encouraged | $25K | Mistral API, Le Chat, open-weight model deployments |
| Atlassian Bug Bounty | Atlassian | Bugcrowd | AI Allowed | $25K | Jira, Confluence, Bitbucket, Trello, Atlassian Cloud |
| HackerOne Bug Bounty | HackerOne | HackerOne | AI Encouraged | $25K | HackerOne.com, API, Hacker Dashboard, Customer Portal, Pentest Platform |
| Discord Bug Bounty | Discord | HackerOne | AI Allowed | $20K | Discord.com, desktop/mobile apps, Bots API, Activities, Discord Store |
| Netflix Bug Bounty | Netflix | Bugcrowd | AI Allowed | $20K | Netflix.com, mobile/TV apps, API, Partner portal, Open Connect CDN |
| X (Twitter) Bug Bounty | X Corp. | HackerOne | Not Specified | $15K | X.com, mobile apps, X API, X Premium, Spaces, Communities |
| Tesla Bug Bounty | Tesla | Bugcrowd | Not Specified | $15K | Tesla vehicles (OTA, infotainment), Tesla.com, mobile apps, energy products |
| Verizon Bug Bounty | Verizon | Bugcrowd | Not Specified | $10K | Verizon.com, My Verizon app, Fios, VZ Media, Visible |
| BMW Vulnerability Disclosure | BMW Group | Direct | Not Specified | Varies | BMW Connected Drive, My BMW App, vehicle telematics, ISTA diagnostic systems |
AI tools policy reflects publicly stated program rules where available. Always read individual program scope before submitting. “AI Encouraged” means the program explicitly welcomes AI-assisted research.
Payout Estimator
Estimate potential earnings from AI-assisted bug bounty research. Pick a model and program, adjust your hours and API costs.
Select a model and program above to see estimated earnings
Estimates are illustrative only. Actual results depend on target complexity, researcher skill, vulnerability severity distribution, and program-specific acceptance criteria. The model uses benchmark scores as a proxy for bug-finding capability — real-world performance may differ significantly.