Critical Thinking - Bug Bounty Podcast Episode 162: HackerOne Training AI on Bug Bounty Data?
Feb 19, 2026
Alex Rice, Co-founder and CTO of HackerOne, leads the company's product and security vision. He tackles concerns about using HackerOne data for AI training and explains anonymization and licensing. They discuss PTaaS, agentic tooling that mixes models with human oversight. The conversation also covers bounty benchmarking changes and how researchers can report suspected data leaks.
AI Snips
Chapters
Transcript
Episode notes
Terms Were Written Before Modern LLMs
- HackerOne is not fine-tuning generative models on researcher submissions and acknowledges its terms predate modern LLMs.
- They admit their terms need clarification to differentiate classic ML from large language models.
Anonymized Data Powers Benchmarks Only
- HackerOne currently uses anonymized aggregated data for the Hacker-Powered Security Report and benchmark features.
- They state that anonymized/aggregated data is not being fed into LLMs today.
Personal Zero-Day Leak And Resolution
- Justin recounts a zero-day report that was misused and how HackerOne investigated and reprimanded the responsible party's employer.
- The incident was resolved to Justin's satisfaction and reinforced that leaks often originate from customers rather than platform AI.