← 返回 Avalaches

AI 漏洞挖掘正在被数量与速度重塑。Apple 的 bug bounty 最高奖金从 2016 年的 20 万美元,升到 2019 年的 100 万美元,去年再到 200 万美元;如今,agentic AI 同时加速找漏洞与做 exploit,让漏洞提交暴增。研究者 Joseph Thacker 说,他今年提交的 bug 可能比去年同期多 3 倍,而像 Google 这类公司可能需要支付去年 2 到 10 倍的奖金;但随著更多低、中风险漏洞先被找到,明年可提交的漏洞数量可能下降,部分公司也会再提高 payouts。

AI 也正在压缩责任揭露与修补的时间窗。Himanshu Anand 指出,90 天披露制度是为了「漏洞发现者稀少、exploit 开发缓慢」的世界,但 LLM 已压缩两者的时间。攻击者若能更快自动扫描与制作 exploit,开发者将面临更大的压力加速发 patch;同时,过快部署修补又可能带来停机等副作用,让大规模 patch rollout 依然是复杂的安全难题。

文中也出现了具体的攻击与防御趋势。Google 研究者本月观察到「知名」网路犯罪者试图利用一个 zero-day,且该漏洞是用 AI 工具开发、可绕过一个开源系统管理平台的 two-factor authentication;Google 随即通知开发者并修补。另一方面,Curl 在 2026 年 1 月终止 bug bounty,因为 AI 生成的低品质提交造成 overload;Linux 的 Linus Torvalds 也说安全邮件列表几乎「无法管理」。但 Curl 之后又表示,过去几个月 AI 辅助的高品质报告增加、频率前所未见,Google 也在 4 月下调部分 Chrome 与 Android 漏洞奖金、提高另一些类别,Anthropic 则新启动 HackerOne bounty。

AI is reshaping bug hunting through volume and speed. Apple’s top bounty rose from $200,000 in 2016 to $1 million in 2019 and $2 million last year; now agentic AI is accelerating both vulnerability discovery and exploit creation, flooding disclosure programs with submissions. Independent researcher Joseph Thacker says he may have submitted three times as many bugs as at this time last year, while companies like Google could end up paying two to 10 times more in bug rewards; yet as easy finds get exhausted, next year may bring fewer submissions and another round of higher payouts.

AI is also compressing the timeline for responsible disclosure and patching. Himanshu Anand argues that the 90-day disclosure window was built for a world where bug finders were rare and exploit development was slow, but LLMs have shortened both timelines. If attackers can automate scanning and exploit generation faster, developers will face more pressure to ship fixes quickly; at the same time, rapid patch deployment can create outages and other unintended consequences, so large-scale patching remains a difficult security problem.

The article highlights concrete shifts on both offense and defense. Google researchers observed prominent cybercrime actors trying to exploit an AI-developed zero-day that bypassed two-factor authentication on an open-source system administration platform, and Google quickly notified the developer and secured a fix. Meanwhile, Curl ended its bounty in January after AI-generated low-quality reports caused overload, and Linus Torvalds said Linux’s security mailing list had become almost unmanageable; later Curl said AI-assisted high-quality reports had surged, Google revised Chrome and Android rewards in April, and Anthropic launched a new HackerOne bounty. (Key numbers: 2026, 1, 4)

2026-05-26 (Tuesday) · e9dc5500d81c73d208497831121ece983d0fca5e