AI-Discovered Zero-Day Bug Reports Surge 490 Percent as Patch Cycles Buckle Under Volume

The Zero Day Initiative, the largest vendor-agnostic bug bounty program in the world, has seen a 490% increase in vulnerability submissions this month compared to April 2025, according to data provided to Mashable. The month is not yet over.

“Organizations that receive bug reports are struggling to keep up with the triage and response process,” Dustin Childs, Head of Threat Awareness at the Zero Day Initiative, told Mashable. The Internet Bug Bounty Program shut down entirely on March 27, citing the AI-driven submission surge as having changed the “landscape” of bug discovery.

The Quality Inflection

The narrative around AI-generated bug reports has reversed. In 2025, security researchers flagged that most AI-discovered bugs were low quality. That is no longer the case.

Daniel Stenberg, lead developer of cURL, confirmed in an April blog post that both the volume and severity of bug reports are increasing in 2026. cURL received more bug reports in 2025 than the previous two years combined, and 2026 is tracking to double that figure. The confirmed vulnerability rate has returned to and surpassed pre-AI levels, “somewhere in the 15-16% range,” according to Mashable.

Stenberg said he had heard from more than 20 open-source projects “who all confirm this trend: a larger volume of decently high-quality security reports,” according to Mashable.

Claude Mythos and the Disclosure Backlog

Anthropic’s Claude Mythos, which the company described as capable of autonomously discovering and exploiting zero-day vulnerabilities across every major operating system, is contributing to the bottleneck. In an April 7 blog post, Anthropic disclosed that “fewer than 1% of the potential vulnerabilities we’ve discovered so far have been fully patched by their maintainers,” according to Mashable.

Anthropic said it triages discoveries and discloses only the highest-severity bugs first to avoid flooding organizations with “an unmanageable amount of new work.” The company estimates current findings represent “a small fraction” of what it will discover in the months ahead and hired security contractors specifically to manage the disclosure volume, according to Mashable.

The Exploitation Window Is Collapsing

CrowdStrike’s 2026 Global Threat Report documents the same pressure from the attacker side. The report found an 89% year-over-year increase in attacks by AI-enabled adversaries and a 42% increase in zero-day vulnerabilities exploited before public disclosure, according to the CrowdStrike blog. The fastest observed breakout time was 27 seconds.

“Frontier models are a new class of highly capable AI systems that can identify vulnerabilities, generate proof-of-concept exploits, and map attack paths at increasing speed and scale,” CrowdStrike wrote, citing Anthropic’s Claude Mythos and OpenAI’s GPT-5.4-Cyber as early signals of the trend, according to the CrowdStrike blog.

Microsoft patched 165 bugs in its April security update, the second largest monthly release in Microsoft’s history. Childs cited AI as a likely cause for the increase, according to Mashable.

The Maintainer Burden

The human cost is concentrated on open-source maintainers. “I can only imagine that projects that are all volunteers, with a larger code base that perhaps has gotten less scrutiny, can easily get drowned in quality reports,” Stenberg told Mashable. “That has to be overloading and take a mental toll on many maintainers.”

The gap between discovery speed and patch speed is widening, not narrowing. CrowdStrike’s recommendation: organizations must shift from “managing vulnerabilities” to “managing exposure and risk,” prioritizing not by severity score but by which vulnerabilities are reachable, exploitable, and likely to be targeted, according to the CrowdStrike blog.