← Back to Journal
["bug-bounty""AI-agents""revenue""economics""defi""openclaw"]

The Economics of AI-Powered Bug Bounty Hunting — Real Numbers

How much can you actually earn running AI agents on bug bounty programs? We break down the time investment, hit rate, and real payout data from our first months of operation.

· 7 min read


The pitch for AI-powered bug bounty hunting sounds compelling: agents scan code 24/7, find vulnerabilities automatically, earn bounties on autopilot. The reality is more nuanced — but more profitable for teams that do it right.

Here's what the economics actually look like from running a multi-agent audit operation for the past several months.

The Raw Numbers

Before we get into methodology, here's the data:

  • Programs actively tracked: 255 across Immunefi, Cantina, and Sherlock

  • Reports submitted: 10 (across 6 different protocols)

  • Reports acknowledged: 6

  • Reports paid out: 1 ($5,000 — first payout, more pending)

  • Total time invested in audit work: ~40 hours (agent time + human review)

  • Effective hourly rate: ~$125/hour (early stage, improving)

    • The hit rate — 60% acknowledgment, 10% payout on submissions — is lower than we'd like. But the one payout we've received was a $5,000 finding that took an agent 2 hours to produce.

    Where the Time Actually Goes

    Most people's intuition about bug bounty work is wrong. The auditing itself isn't the bottleneck — finding vulnerabilities in known patterns is actually fairly straightforward with systematic tooling.

    The bottlenecks are:

    1. Scope validation (30% of time)
    Before writing a single line of analysis, you need to confirm:

  • The contracts you're auditing are actually in scope

  • The vulnerability you're targeting maps to a specific in-scope impact

  • The payout for that severity matches your expected return

    • Programs with vague scopes, outdated listings, or "all contracts" language without explicit asset lists get skipped. Every hour spent on out-of-scope work is hour you weren't auditing something winnable.

    2. Quality of finding (40% of time)
    A vulnerability that exists in theory but can't be exploited in practice is Informational at best. Every finding we submit has:

  • A working Foundry proof of concept

  • Specific dollar impact at current TVL

  • Exact code references

  • Severity mapped to the program's specific criteria

    • This level of rigor takes time. It also separates the hunters who get triaged quickly from the hunters who get acknowledged.

    3. Following up (20% of time)
    Most programs acknowledge within 24-48 hours. But severity disputes, requests for clarification, and appeals are common. You need to be responsive and precise when defending your severity assessment.

    4. Actually auditing code (10% of time)
    This is the fun part — and the part where AI agents provide the most leverage. Systematic scanning for the OWASP Top 10 patterns against a new protocol's codebase can be largely automated. The agent flags candidates; the human reviews and elevates to a real submission.

    The AI Advantage: Speed and Scale

    Here's where AI agents change the equation. Traditional bug hunting:

    | Activity | Manual | AI-Assisted |
    |----------|--------|-------------|
    | Program discovery | 2-3 hrs/week | 5 min/week (automated) |
    | Scope validation | 30 min/program | 2 min/program |
    | Pattern scan (10 contracts) | 4-6 hours | 20 minutes |
    | Finding quality | Variable | Consistently high |
    | Reports per week | 1-2 | 3-5 |

    At 3-5 quality reports per week, even at a 20% acknowledgment rate, you're looking at 3-4 acknowledged findings per month. At an average payout of $2,500-10,000 per finding across Medium and High severity programs, the math works.

    The agents don't replace judgment — they amplify it. An auditor who knows what to look for and has systematic tooling will always outperform one relying on intuition alone.

    What Programs Actually Pay For

    Based on our submission history and what we've seen in program payouts:

    What gets acknowledged:

  • Access control bypasses with concrete exploit paths

  • Oracle manipulation with TVL-aligned impact

  • Reentrancy with clean PoCs

  • Storage/storage collisions in upgradeable proxies

    • What gets rejected:

  • "Centralization risk" without additional exploitability

  • "Could theoretically do X" without a specific attack path

  • Vulnerabilities in out-of-scope contracts

  • "Not recommended" findings that don't map to a specific impact

    • Immunefi's severity criteria are explicit: for Medium severity, you need "Direct vulnerability in an in-scope contract leading to loss of funds." For High and Critical, the bar is proportionally higher.

    The Real Opportunity No One Is Talking About

    Most solo hunters focus on Critical/High severity bugs. That's the right instinct for maximizing payout per finding, but it creates a few problems:

  • Competition is fierce on well-audited protocols with large communities

  • Time to finding is longer because you're looking for harder bugs

  • Programs get audited thousands of times before a real bug is found

    • The underappreciated opportunity: newly added contracts on Immunefi programs.

    When a protocol adds new contracts to their scope, several dynamics change:

  • Fresh attack surface that hasn't been audited yet

  • Lower competition (most hunters are working the existing scope)

  • More attentive developers (they just added these contracts for a reason)

  • Higher likelihood of integration bugs (new contracts interacting with old ones)

    • We found our $250,000 HIGH in a contract that had been in scope for less than 24 hours.

    How to Get Started

    If you want to run an AI-augmented bug hunting operation:

    1. Set up the infrastructure (1-2 days)

  • Mac mini or VPS running 24/7

  • OpenClaw with specialized agents

  • Supabase for pipeline tracking

  • Program monitoring on Immunefi, Cantina, Sherlock

    • 2. Define your workflow (1 day)

  • Pre-audit scope validation checklist

  • Finding template per platform (Immunefi, Cantina, Sherlock all have different formats)

  • PoC standards (Foundry tests minimum)

  • Severity justification framework

    • 3. Start auditing (ongoing)

  • Prioritize newly added programs

  • Focus on oracle contracts, cross-chain bridges, and lending protocols

  • Quality over quantity — one well-documented submission beats five weak ones

    • 4. Track everything (ongoing)

  • Every program in a pipeline with status

  • Time-to-acknowledgment and time-to-payout

  • What severity levels actually pay out for each program

    • The economics work — but only for teams that invest in systematic process, not just tooling.

    ---

    *We're running this operation as part of OpenClaw Launchpad. Our agents run continuously, tracking 255+ programs and auditing newly added contracts. Follow our journal for case studies and methodology write-ups as findings are resolved.*

    Running AI agents for DeFi security research?

    OpenClaw Launchpad — White-glove AI agent setup →