The Zcash Community Grants Committee (ZCG), a community funding group for the privacy-focused Zcash ecosystem, said in a May 26 forum post that it closed its vulnerability bounty program as AI tools made it easier to spam maintainers with "duplicate, low-signal, and speculative" reports.
ZCG said the normal disclosure process remains open, so researchers can still report valid and reproducible vulnerabilities. Reports submitted before the announcement will still be handled under the rules that applied when they were filed.
The committee argues AI tools are changing both sides of software security. Although they can help find vulnerabilities, they can also create a stream of "AI-hallucinated submissions" that still require serious human review.
ZCG
- ZCG compared the problem to the curl project, whose creator, Daniel Stenberg, had described AI-generated vulnerability reports as "death by a thousand slops."
- Curl ended its bug bounty in early 2026 after what ZCG described as an explosion of AI slop reports and a lower confirmed vulnerability rate.
The committee reassured that structured security work will continue.
Least Authority, a security firm, remains the Zcash Ecosystem Security Lead, covering audits, vulnerability coordination and expert consultation. ZCG also said it's working with Zellic, a crypto security firm, on access to V12, an AI-assisted auditing platform that combines LLM analysis with traditional static analysis.
But the decision drew some pushback in the forum. A user named scalar noted that the bounty existed for the right reason but had a structure "meant to fail," arguing that Zcash should move the program to platforms such as HackerOne, Immunefi or HackenProof.
- Still, even crypto security platforms themselves face pressure. As The Coinformer reported earlier, Code4rena, a Paradigm-backed crypto security platform known for competitive smart contract audits, shut down after helping find more than 1,600 high-severity vulnerabilities.
In the meantime, AI is also reshaping the wider DeFi security debate. On May 27, Manuel Aráoz, the co-founder of blockchain security firm OpenZeppelin, who left the company in 2019, said he now considers "all of DeFi unsafe" because AI agents can find vulnerabilities faster than teams can fix them.
- OpenZeppelin itself pushed back, saying AI is a real threat but can also be a defensive tool when used with expert human judgment.
