Hacking in the Age of AI: A New Way to Understand Human + Machine Contributions
Big changes are coming to the HackerOne leaderboard. Starting this week, the platform will distinguish between individual researchers and AI-powered collectives, making it easier to recognize unique human impact alongside scaled, bot-driven contributions. The update comes amid the rise of hackbots and an increase in AI automation in security testing.
To unpack what’s changing, what isn’t, and why bounty programs still thrive on human creativity and diversity, we sat down with HackerOne Co-Founder and Senior Director of Product Management Michiel Prins. Here’s what he had to say about the future of the leaderboard—and the future of hacking.
Q: Why is the HackerOne leaderboard changing now?
Michiel:
The leaderboard has always celebrated impact. Now, we're giving viewers a clearer picture of how that impact is achieved, whether through solo expertise or collective collaboration. This transparency sets the stage for deeper insight into where humans and AI each shine. Individuals, groups working together, and sophisticated bots each make valuable contributions, but they operate in fundamentally different ways.
Today, we’re taking steps to show more of the story behind the results. We're evolving how we measure and show impact to match the evolving nature of the work.
-Michiel Prins, HackerOne Co-Founder and Senior Director of Product Management
Q: Are there any vulnerability trends or patterns you're seeing emerge from Hackbots?
Michiel:
Yes, we’re seeing early trends in the types of vulnerabilities Hackbots are effective at uncovering. They consistently perform well on deterministic issues such as XSS, RCE, XXE, and SSRF, vulnerabilities with predictable behaviors and clear input-output patterns that align well with AI-driven analysis. These findings highlight where automation excels today and signal how AI will play a growing role in scaling security testing across broad attack surfaces. On a global scale, individual researchers are still responsible for the majority of high-impact, business-critical vulnerabilities.
Q: Why not just hire an AI hackbot and skip the bounty program?
Michiel:
No single tool, human or automated, can uncover every vulnerability. Bug bounty works because it taps into diverse perspectives. Every researcher, human or bot, brings a unique approach and valuable specializations. That’s why crowdsourced security works. Betting on one hackbot is like hiring one pentester and calling it done. Bounty gives you exposure to all perspectives, including AI-augmented ones. That’s how you surface the vulnerabilities others miss.
Q: So where does AI fit into the HackerOne model?
Michiel:
AI is a force multiplier. We’re not choosing between humans and AI—we’re combining them. Our platform uses AI to help researchers find more bugs, and we use AI internally to triage faster and more accurately. Our triage pipeline now combines Hai Triage and Hai Insight Agent to filter noise and prioritize critical findings—so customers see faster, more accurate results.
Q: What would you say to customers wondering if bug bounty is still worth it?
Michiel:
If you care about depth, diversity, and real-world impact—yes. Absolutely. Hackbots can accelerate coverage, but high-severity findings with real-world consequences still come from human insight that might be augmented by AI. Our customers aren’t choosing between AI and bounty, they’re getting the best of both.
Q: What’s next for the leaderboard and the HackerOne community?
Michiel:
You’ll see more ways to track and recognize contributions, both individual and collective. We want to spotlight the researchers driving real impact, no matter how they work. We’re exploring ways to demonstrate specialized skill sets, both for humans and hackbots, and make it easier for researchers to form a collective in the future. And we’ll keep leaning into innovation, including ways AI can scale testing without losing what makes this community diverse and powerful. The future is bionic.
Q: How will the updated leaderboard continue to encourage quality submissions and meaningful recognition?
Michiel:
The updated leaderboard will still prioritize quality through the Signal and Impact metrics, which remain central to how we highlight meaningful contributions. Signal measures accuracy, how often reports are valid, while Impact reflects the severity of findings, with higher scores indicating more critical issues. This encourages high-value, high-severity submissions, even if they’re not submitting at the highest volume.
An Updated Leaderboard That Reflects Security’s Collaborative Future
As crowdsourced security advances, so does the way we recognize those driving it forward. HackerOne’s updated leaderboard recognizes the many forms of contribution driving impact today, from solo hackers to AI-assisted collectives. Because the future of security isn’t just about who finds the most bugs. It’s about the people and technologies working together to eliminate risk.
Want to go deeper?
Check out our latest post, Beyond the Noise: How HackerOne Cuts Through the Noise in the Age of AI, for a behind-the-scenes look at how we’re evolving the platform to help customers focus on what matters and stay ahead in the AI era.
