Anthropic, Google and Microsoft quietly launch AI bug‑bounty programs to curb security

The prompt‑injection technique uncovered by a Johns Hopkins research team shows that the same data‑flow architecture used by all three major AI‑assisted GitHub Actions can be weaponised to exfiltrate secrets, according to an exclusive interview with researcher Aonan Guan published by The Register (15 April 2026). Guan demonstrated that by embedding malicious commands in a pull‑request title, the Claude Code Security Review action executed a Bash command, returned the output in its JSON payload, and posted the result as a comment on the same pull request. The same pattern was replicated against Google’s Gemini CLI Action and Microsoft’s GitHub Copilot bot, allowing the researchers to harvest GitHub access tokens and Anthropic API keys without the vendors’ knowledge. The researchers initially reported the Claude vulnerability on HackerOne in October and were later invited by Anthropic to expand the proof‑of‑concept to extract additional credentials, after which each company issued a modest “beer‑money” bounty but stopped short of publishing CVEs or public advisories.

The silence from the vendors is striking given the potential breadth of the attack surface. Guan warned that any GitHub Action that consumes PR titles, issue bodies or comments as part of its prompt can be subverted, a risk that extends beyond the three agents studied to Slack bots, Jira integrations, email processors and deployment automation tools that also rely on AI‑driven parsing of repository metadata. “If they don’t publish an advisory, those users may never know they are vulnerable – or under attack,” Guan told The Register. The researchers’ findings suggest that a non‑trivial fraction of enterprise customers may already be running vulnerable versions of these agents, a scenario that could expose sensitive credentials across a swath of development pipelines.

In response, Anthropic, Google and Microsoft each launched private bug‑bounty programs to incentivise further disclosures, but they have kept the programs under the radar. The companies have not assigned CVE identifiers, nor have they issued public security notices, a practice that diverges from the standard industry response to critical supply‑chain flaws. By offering “beer‑money” rewards rather than formal acknowledgements, the firms appear to be managing the risk quietly while avoiding the reputational fallout that a public advisory could generate. This approach may also reflect a strategic calculation: acknowledging a systemic vulnerability in AI‑driven CI/CD tools could prompt a wave of scrutiny from regulators and customers, especially as enterprises increasingly rely on these agents for code review and automated security checks.

From a market perspective, the episode underscores a growing tension between rapid AI integration and the maturity of security controls. While AI‑augmented development promises efficiency gains, the underlying prompt‑injection vector reveals a class of flaws that traditional static‑analysis tools are ill‑equipped to detect. Investors and enterprise buyers are likely to reassess the risk profile of AI‑enhanced DevOps platforms, demanding clearer disclosure policies and more robust isolation mechanisms for AI agents that interact with code repositories. The lack of public remediation could also influence procurement decisions, as firms may favour vendors that adopt transparent vulnerability‑management practices.

Analysts note that the episode may accelerate a shift toward “AI‑sandboxed” execution environments, where prompts are sanitized before reaching the model and outputs are vetted before being acted upon. Such architectural changes would add latency and cost, but could become a prerequisite for compliance in regulated sectors. Until vendors adopt these safeguards, the market will continue to grapple with the paradox of deploying powerful, yet potentially exploitable, AI assistants in critical software supply chains.