{"id":7555,"date":"2026-03-20T16:50:53","date_gmt":"2026-03-20T16:50:53","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7555"},"modified":"2026-03-20T16:50:53","modified_gmt":"2026-03-20T16:50:53","slug":"stop-using-ai-to-submit-bug-reports-says-google","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7555","title":{"rendered":"Stop using AI to submit bug reports, says Google"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Google will no longer accept AI-generated submissions to a program it funded to find bugs in open-source software. However, it is contributing to a separate program that uses AI to strengthen security in open-source code.<\/p>\n<p>The Google Open Source Software Vulnerability Reward Program team is increasingly concerned about the low quality of some AI-generated bug submissions, with many including hallucinations about how a vulnerability can be triggered or reporting bugs with little security impact.<\/p>\n<p>\u201cTo ensure our triage teams can focus on the most critical threats, we will now require higher-quality proof (like OSS-Fuzz reproduction or a merged patch) for certain tiers to filter out low-quality reports and allow us to focus on real-world impact,\u201d <a href=\"https:\/\/bughunters.google.com\/blog\/ossvrp-rule-updates-2026\" target=\"_blank\" rel=\"noopener\">Google wrote in a blog post<\/a>.<\/p>\n<p>The Linux Foundation too is finding the <a href=\"https:\/\/www.infoworld.com\/article\/4129056\/is-ai-killing-open-source.html\">volume of AI-generated bug submissions overwhelming<\/a> and has sought financial help from AI companies including Google, Anthropic, AWS, Microsoft, and OpenAI to deal with the problem. Together, they are contributing $12.5 million to the foundation to improve the security of open-source software.<\/p>\n<p>\u201cGrant funding alone is not going to help solve the problem that AI tools are causing today on open-source security teams,\u201d <a href=\"https:\/\/alpha-omega.dev\/blog\/linux-foundation-announces-12-5-million-in-grant-funding-from-leading-organizations-to-advance-open-source-security\/#:~:text=%E2%80%9CAlpha-Omega%20was,power%20our%20world.%E2%80%9D\" target=\"_blank\" rel=\"noopener\">said Greg Kroah-Hartman of the Linux kernel project<\/a> in a blog post. \u201cOpenSSF has the active resources needed to support numerous projects that will help these overworked maintainers with the triage and processing of the increased AI-generated security reports they are currently receiving.\u201d<\/p>\n<p>The funding will be managed by open source security project <a href=\"https:\/\/alpha-omega.dev\/\" target=\"_blank\" rel=\"noopener\">Alpha-Omega<\/a> and the O<a href=\"https:\/\/openssf.org\/\" target=\"_blank\" rel=\"noopener\">pen Source Security Foundation<\/a> (OSSF) and will be used to provide AI tools to help maintainers deal with the volume of AI-generated submissions.<\/p>\n<p>\u201cWe are excited to bring maintainer-centric AI security assistance to the hundreds of thousands of projects that power our world,\u201d said Alpha-Omega co-founder Michael Winser.<\/p>\n<p><em>This article first appeared on <a href=\"https:\/\/www.infoworld.com\/article\/4148197\/stop-using-ai-to-submit-bug-reports-says-google.html\">InfoWorld<\/a>.<\/em><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Google will no longer accept AI-generated submissions to a program it funded to find bugs in open-source software. However, it is contributing to a separate program that uses AI to strengthen security in open-source code. The Google Open Source Software Vulnerability Reward Program team is increasingly concerned about the low quality of some AI-generated bug [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":7556,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7555","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7555"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7555"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7555\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7556"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7555"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7555"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7555"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}