AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

Stop using AI to submit bug reports, says Google

infonews

policyindustry

Source: CSO OnlineMarch 20, 2026

Summary

Google will no longer accept AI-generated bug reports for its open-source software vulnerability reward program because many contain hallucinations (false or made-up details about how vulnerabilities work) and report bugs with low security impact. To address the problem of overwhelming AI-generated submissions across the open-source community, Google and other major AI companies (Anthropic, AWS, Microsoft, and OpenAI) are contributing $12.5 million to the Linux Foundation to fund tools that help open-source maintainers filter and process these reports.

Solution / Mitigation

Google now requires higher-quality proof, such as OSS-Fuzz reproduction (automated testing that demonstrates the bug) or a merged patch (code fix already accepted into a project), for certain tiers of bug reports to filter out low-quality submissions. The $12.5 million in funding managed by Alpha-Omega and the Open Source Security Foundation (OSSF) will be used to provide AI tools to help maintainers triage and process the volume of AI-generated security reports they receive.

Classification

Attack SophisticationModerate

Affected Vendors

GoogleAnthropicMicrosoftAmazonOpenAI

Related Issues

high

Anthropic accuses Chinese AI labs of mining Claude as US debates AI chip exports

Same vendorTechCrunch

info

Anthropic doesn’t trust the Pentagon, and neither should you

Same vendorThe Verge (AI)

Original source: https://www.csoonline.com/article/4148203/stop-using-ai-to-submit-bug-reports-says-google-2.html

First tracked: March 20, 2026 at 08:00 PM

Classified by LLM (prompt v3) · confidence: 85%