Navigating the AI Wave: How We're Keeping Security Research Meaningful

The security landscape shifted in a meaningful way earlier this year. With the release of more advanced AI models and tools in February, the entire industry began seeing a significant (100%+) surge in report volume. It's a moment that has challenged us, pushed us to innovate, and ultimately reinforced the work we do together with security researchers and customers.

We're grateful for the opportunity to share where we've been, what we've learned, and where we're headed.

A New Kind of Volume

Historically, an increase in report volume was a signal worth celebrating. More reports meant more researchers engaged, more vulnerabilities found, and more programs protected. That dynamic hasn't disappeared, but it has become more nuanced.

Not all AI-assisted volume is created equal. Some of it is genuinely valuable: novel findings, well-documented reports, and real security impact. But some of it includes duplicates, unverifiable submissions, or reports that lack the depth needed to act on them. This means we have to be more intentional than ever about prioritizing quality over quantity, while being careful not to throw out the signal along with the noise.

We've resisted the temptation to make a sharp, reactive change. Instead, we've leaned on our data, listened closely to the community, and consulted with long-standing customers to take a measured, balanced approach, one that keeps the right reports flowing to the right programs at the right time.

Our Commitment to the Security Researcher Community

We genuinely believe in the power of AI to make security researchers more efficient and effective. We use these tools ourselves. But with that efficiency comes responsibility, and we think that's a healthy tension.

After carefully analyzing the volume trends, we updated the HackerOne Code of Conduct to reflect the realities of AI-assisted research. The core expectation remains the same as it always has been: high-quality, valid reports with clear steps to reproduce and demonstrated impact. What we've clarified is that researchers are responsible for the quality of what they submit, regardless of whether a human or a tool generated the first draft.

We've also built detection and enforcement mechanisms to back this up. We are fortunate to work with such a thoughtful, skilled community and the response has been overwhelmingly positive. Many researchers simply weren't aware of the downstream impact their submissions were having on program teams. Once they understood, they adjusted. That kind of responsiveness reflects the community we've all built together.

Supporting Our Customers

The impact of AI-driven volume hasn't been uniform across programs. Public programs have felt it more acutely than private ones, because they're open to anyone, including those simply operating tooling. Programs with open-source repositories in scope have seen even higher submission rates, in part because AI code-scanning tools are being run against the same repositories by multiple researchers, leading to higher duplication rates.

Our approach with customers has been grounded in transparency and collaboration. We are working with them to help them understand the root causes of increased volume and, in many cases, have been able to optimize their program to meaningfully improve the signal-to-noise ratio. This comes at no cost because it uses existing features already available within the HackerOne platform and by ensuring appropriate program scope. We're already seeing those improvements working, and we're proud of the partnership it's taken to get there.

Investing in Process and Product

Challenges like this are catalysts for innovation, and we're grateful for the push.

As we grew in 2025, we invested heavily in scaling triage, including developing TriageOne Smart Routing, which is a system designed to route reports to the right analyst based on skillset, severity, and researcher signal. The historical data we've accumulated is a real advantage here: it helps us distinguish and prioritize a highly experienced, trusted researcher from a newly created account backed solely by automated tooling. We are also using this data to identify new and promising researchers who we can work with to grow their skills and their access to programs that can benefit from their skillset. The volume surge in February accelerated our TriageOne adoption to all standard triage operations and we're seeing meaningful improvements in our ability to surface the signal above the noise.

We also accelerated the development of our core agentic system, Hai, and the specialized agents that support it, including agents for deduplication, priority escalation, insight generation, and report assistance. These agents are helping customers and our team work smarter: in some cases, what once required nine manual steps now takes one. That's not about replacing our people—it's about freeing them to focus on the judgment calls that only humans can make.

Looking Ahead

We won't pretend the surge in AI-driven volume hasn't created real short-term challenges. It has. But we also believe it has made us better, more efficient, more intentional, and better prepared for what's coming. AI-driven volume isn't going away. The tools will keep improving, and so will we because we embrace them.

We're deeply grateful to the researchers who've embraced this feedback and continue to bring their expertise and integrity to every submission. We're grateful to the customers who've trusted us to navigate this with them. And we're energized by what it means to build the future of security research, together.

Let’s continue to work together to overcome this challenge making the platform and the community stronger.