Three years ago a researcher who found a prompt injection in a public AI product had a tricky decision. There was no obvious place to disclose it. Vendors were ambivalent about whether the behavior counted as a bug. Bug bounty programs explicitly carved AI behaviors out of scope. Independent posting was the norm, often with mixed reception. By 2026 the picture has changed substantially. Most major AI products run bounty programs that include prompt injection in scope, payouts are settling into recognizable bands, and triage teams have built workflows for what was, until recently, a category they did not know how to handle.
Scope Is Stabilizing
The first thing that changed is what counts. In 2024 most programs that did accept AI submissions did so vaguely. "Submit AI-related issues; we will review case by case." That phrasing produced a flood of low-quality reports — minor jailbreaks, expected hallucinations, cosmetic prompt leaks — and a backlog the triage teams could not clear. The 2026 version of the same scope page is dramatically tighter. Programs now distinguish between several categories.
In-scope, high-impact. Indirect prompt injection that causes the agent to take unintended actions on behalf of the user. Direct injection that exfiltrates the system prompt when the system prompt contains genuinely sensitive content. Injection that bypasses an explicitly advertised safety control. These categories pay, and the payouts are real — five-figure bounties for credible reports are common, with several disclosed payouts north of a hundred thousand dollars in the last year.
In-scope, lower-impact. Direct injection that produces unsafe content the model would otherwise refuse. Output-side leakage of bounded amounts of training data. These pay smaller amounts, often capped, and are the workhorse category of submissions.
Out-of-scope, named. Generic jailbreaks that produce content the program does not consider harmful. Hallucinations. Edge cases involving multilingual or low-resource inputs where the program acknowledges robustness gaps. Naming these explicitly was the change that made triage manageable. Researchers have a clear filter and stop submitting reports that will be closed.
The clarity is what made the category investible for both sides. Researchers can now plan a session knowing what payoff to expect for a given finding. Programs can size their triage capacity. Both numbers were guesswork two years ago.
Payout Norms Are Forming
The payout structure that has emerged is broadly consistent across the larger programs. Indirect injection with a tool-use payoff sits in the "critical" band, often paying like a server-side request forgery or a privilege escalation. Direct injection of high-impact behavior sits one band lower. Information disclosure issues — system prompt leak, training data leak — pay according to the sensitivity of what was leaked.
Two notable adjustments have entered the structure. The first is chain bonuses, where a single report that combines a low-severity finding into a high-impact exploit gets paid as the high-severity exploit would, even if the lower component was previously known. This rewards the engineering work of building a real attack and discourages the perverse incentive to hold a low-severity finding in case it can be chained later.
The second is reproduction tax. Programs increasingly require a clean reproduction in a fresh session, with deterministic-enough behavior that the triage team can verify. Reports that work only against a specific lucky session — common for prompt injection — are downgraded or closed. This raises the bar but also raises the average quality of accepted submissions, which in turn keeps the average payout high.
Triage Has Built A Playbook
The hard part of running a bounty program for prompt injection is not deciding what to pay. It is reproducing the bug reliably enough to fix it. Models change. Sampling varies. A payload that worked on Tuesday may fail on Thursday for reasons the model team cannot explain.
The 2026 triage playbook has converged on a few practices. The first is frozen test environments. Programs maintain a snapshot of their production model and configuration that triage uses for verification. Submissions are tested against the snapshot, not against the moving production target. The second is statistical reproduction. Rather than requiring a single deterministic reproduction, triage runs the payload against the model many times and measures the success rate. A payload with a 30 percent success rate is a real bug, and the rate becomes part of the report metadata.
The third is side-by-side patch verification. Once a fix is shipped, the triage team replays the payload against both the patched and unpatched models, and the success rate is reported back to the researcher. This builds trust that the fix is real and not a model update that happened to mask the behavior.
The fourth is structured impact taxonomy. Programs publish a standard impact rubric that maps observable behaviors to severity bands. Researchers draft their reports against the rubric. Triage applies it consistently. The most common cause of researcher dissatisfaction in 2024 was inconsistent severity assessment across submissions; the rubrics fixed it.
Researcher Culture Is Maturing Too
The early prompt injection community was small enough that most researchers knew each other and disclosure norms were informal. The current community is much larger, and the norms have correspondingly hardened. Coordinated disclosure timelines mirror the rest of security — typical 90-day windows, with extensions on request and a clear appeals path. Public write-ups land after fixes ship and after vendor approval, with rare exceptions.
The labor market has shifted accordingly. Several boutique firms now specialize in prompt injection research, run by ex-academic and ex-industry researchers who built their reputations through 2023 and 2024. Their staff sizes are tiny, their bounty earnings are large, and their findings are increasingly the seed material for vendor evaluation suites. The information flow from researcher to vendor to enterprise customer to broader community is faster and more structured than it was a year ago.
What Still Does Not Work
Two parts of the ecosystem remain rough. The first is non-flagship products. Programs run by major AI labs are mature. Programs run by enterprise companies that ship LLM features into their existing products are uneven. Many of those companies do not have a bounty program at all, and disclosure for prompt injection in those contexts often ends up posted publicly because there was no obvious channel. This is a temporary state — the same maturation curve will play out — but for now researchers have to navigate inconsistency.
The second is multi-vendor exploit chains. A finding that requires coordination across two vendors — say, a prompt injection in product A that leverages a misconfiguration in product B — has no clean disclosure home. Both vendors push back. The researcher gets stuck. Mature programs are starting to handle this through a "shared disclosure" track, but it is not yet standard practice.
Direction For The Year
Prompt injection bounty submissions will continue to grow through the rest of 2026. Programs that have not yet defined scope clearly will catch up. The "out of scope, named" list will keep expanding as the categories of well-understood limitations grow. Payouts at the top end will keep climbing for the rare, high-impact, multi-step exploits — the kind that combine injection with tool misuse and credential exfiltration — and the floor will keep rising as routine submissions become higher quality. The category is following the well-worn trajectory of every other class of vulnerability that started in research and ended up institutionalized.
How Safeguard Helps
Safeguard turns the work of running, ingesting, and responding to prompt injection findings into a managed pipeline. Disclosed CVEs and bounty-published advisories that touch model providers, MCP servers, and AI components in your environment are matched against your AI bill of materials and surfaced as findings the moment they are public. Internal red team reports and bounty submissions can be ingested through the same workflow, mapped to the affected products, and tracked to remediation alongside other security findings. Reproduction metadata, severity rubrics, and patch verification artifacts are stored with the finding so triage history is auditable rather than tribal. Whether you are running your own program, consuming external research, or both, Safeguard gives you the same structured response to prompt injection that you already expect for traditional vulnerabilities.