Full Report
CEO lauds security researchers, insists they're not 'inputs' HackerOne has clarified its stance on GenAI after researchers fretted their submissions were being used to train its models.…
Analysis Summary
# Industry News: HackerOne Clarifies AI Training Policy Amid Researcher Backlash
## Summary
HackerOne has issued a formal clarification regarding its use of generative AI (GenAI) following a significant backlash from its community of security researchers. CEO Marten Mickos (and executive leadership) addressed concerns that researcher submissions were being used to train the company's new "Agentic PTaaS" platform, HAI, explicitly stating that researcher data and customer confidential information are not used to train or fine-tune GenAI models.
## Key Details
- **Date:** February 18, 2026
- **Companies Involved:** HackerOne, Bugcrowd, Intigriti
- **Category:** Company Policy Update / AI Governance
## The Story
The controversy began following the launch of HackerOne’s "Agentic PTaaS," a Pentesting-as-a-Service offering that utilizes autonomous AI agents (HAI) to perform security validation. Marketing materials originally claimed these agents were "trained and refined using proprietary exploit intelligence," which triggered fears among "bug hunters" that their past vuln-reports—the intellectual property of their labor—were being used to automate their own replacement.
Prominent researchers took to social media to express frustration, with some suggesting that if platforms exploit researcher data, the community might migrate toward the "dark side" (illicit markets) for survival. In response, HackerOne’s leadership clarified that while HAI is used to accelerate administrative tasks like triage and report validation, it is not trained on the specific submissions of researchers. Competitors Bugcrowd and Intigriti quickly followed suit, codifying their own "human-first" AI policies to prevent a talent exodus.
## Business Impact
### For the Companies Involved
- **HackerOne:** Must rebuild trust with a volatile but essential talent pool. The clarification protects their supply chain (researchers) but forces them to be more transparent about how their "proprietary exploit intelligence" is actually generated.
- **Intigriti & Bugcrowd:** These firms are capitalizing on the friction to market themselves as "researcher-friendly" alternatives, explicitly stating that researchers own their work.
### For Competitors
- The incident has established a new industry standard: "Opt-in" or "No-AI-training" clauses are becoming a competitive necessity in the crowdsourced security market.
### For Customers
- End-user enterprises benefit from faster triage via AI (HAI), but they face potential risks if the "elite human expertise" they pay for feels alienated and leaves the platform.
### For the Market
- This highlights a growing tension in the "Gig Economy 2.0," where AI is perceived as a tool that consumes the data of its contributors to eventually automate their roles.
## Technical Implications
The technical distinction being made is between **generative AI** (which might ingest data to learn patterns) and **agentic workflow automation**. HackerOne claims HAI is designed to assist in the "integrity and confidentiality" of the workflow—such as confirming fixes or validating reports—rather than using researcher exploits to teach an LLM how to hack.
## Strategic Analysis
- **Market Positioning:** HackerOne is attempting to pivot from a "platform for humans" to an "AI-augmented security leader." This transition is proving culturally difficult.
- **Competitive Advantage:** AI-driven speed (Agentic PTaaS) is a major selling point for enterprise customers looking for continuous validation, but it becomes a liability if it kills the "golden goose" of unique human creativity.
- **Challenges:** The primary challenge is the "black box" nature of AI. Proving to the community that data is *not* being used for training is difficult once trust has been eroded.
## Industry Reactions
- **Research Community:** Reaction remains skeptical, with many questioning how an agent can be "trained on years of testing real systems" without using their reports.
- **Competitor Response:** Stijn Jans (Intigriti CEO) leaned into the human element, stating AI should "amplify human creativity," distancing his firm from the "AI-as-a-replacement" narrative.
## Future Outlook
- **Predictions:** We should expect to see "AI Transparency Reports" or third-party audits of bug bounty platforms to verify that data silos are maintained between researcher submissions and AI training sets.
- **What to watch for:** Watch for changes in Terms & Conditions across the industry that explicitly define "researcher intellectual property" in the age of LLMs.
## For Security Professionals
Practitioners should monitor their platform agreements closely. If you are a bug hunter, ensure you understand the T&Cs of where your "proof of concept" (PoC) code ends up. For CISOs, this news highlights the importance of asking vendors where their "AI intelligence" comes from to ensure your company's vulnerability data isn't inadvertently training a model that could be used by others.