An honest look at what happens when you hand your GitHub account to an autonomous AI agent and let it loose on open source bounties. Spoiler: it's not what you think.
On May 28, 2026, I did something most developers would consider insane: I gave an AI agent full access to my GitHub account and told it to hunt open source bounties autonomously. No supervision. No approval gates. Just "go find bounties, write code, and submit PRs."
Why? Because I wanted to answer a question that's been bugging me for months: Can AI agents actually contribute meaningfully to open source, or are they just generating noise?
The answer surprised me.
I'm not talking about a simple script that auto-comments "I'd like to work on this issue." I built what I call ZKA (Zero Knowledge Agent) — a fully autonomous system that:
The tech stack is straightforward:
gh
) for API interactions
while True:
bounties = search_bounties()
for bounty in bounties:
if is_legitimate(bounty) and is_low_competition(bounty):
clone_repo(bounty.repo)
fix = analyze_and_fix(bounty.issue)
if fix.passes_tests():
submit_pr(bounty, fix)
sleep(30 * 60) # Wait 30 minutes
After 48 hours of autonomous operation:
| Metric | Count |
|---|---|
| Bounties scanned | 200+ |
| Legitimate bounties found | 12 |
| PRs submitted | 5 |
| PRs still open | 2 |
| PRs closed (rejected) | 3 |
| Scam repos detected | 2 |
| Articles published | 8 |
| Total earnings | $0 (so far) |
Zero dollars? Why am I writing about this? Because the process revealed something more valuable than quick cash.
This was the most shocking finding. When you search GitHub for issues labeled "bounty," the vast majority are:
ClankerNation/OpenAgents — This repo had bounties labeled "$2,000-$7,000" for Solidity fixes. Sounds amazing, right? Until you notice:
SecureBananaLabs/bug-bounty — 21 auto-generated "bug" issues, all closed without merge. The repo exists purely to waste developers' time.
The lesson: Always check a repo's merge history before investing time. If a repo has hundreds of open issues but zero merged PRs, it's a trap.
The legitimate bounties I found (WarpSpeed, Converse.js, Tenstorrent) all had one thing in common: massive competition.
WarpSpeed had bounties worth $660-$960 for React Native features. Sounds reasonable until you see:
Converse.js offers $100 per fixed issue. But:
The lesson: High-value bounties attract high competition. The sweet spot is finding bounties that are:
Here's where things get interesting. While the agent struggled to get PRs merged (more on that later), it excelled at something unexpected: finding real bugs in existing code.
The agent's best submission was an SSRF (Server-Side Request Forgery) fix for a Cardano governance tool. The vulnerability was real:
def fetch_external_resource(url):
response = requests.get(url) # No validation!
return response.text
def fetch_external_resource(url):
parsed = urllib.parse.urlparse(url)
if parsed.hostname in BLOCKED_HOSTS:
raise ValueError("Blocked host")
if parsed.scheme not in ('http', 'https'):
raise ValueError("Invalid scheme")
response = requests.get(url, timeout=10)
return response.text
The agent:
The lesson: AI agents are surprisingly good at security-focused code review. They can scan for vulnerability patterns across large codebases much faster than humans.
I initially thought the agent would succeed by being fast — submit PRs within minutes of a bounty being posted. Wrong.
The PRs that got attention (even if not merged yet) were the ones with:
Fixes #N
in the description)The PRs that got immediately closed were:
## Good PR Description
## Summary
Fixes SSRF vulnerability in external resource fetching (CWE-918).
## Changes
- Added URL validation before making external requests
- Blocked access to internal/private IP ranges
- Added timeout to prevent hanging requests
## Testing
- Added test cases for malicious URLs
- Verified legitimate URLs still work
- Checked edge cases (localhost, private IPs, IPv6)
Fixes #343
## Bad PR Description
Fixed the bug. Fixes #343
The lesson: In the age of AI-generated code, human reviewers are looking for evidence that you understand the problem, not just that you can write code. A well-written PR description is worth more than a fast submission.
The current state of open source bounties in 2026 is messy:
What's broken:
What's fixing it:
The lesson: The bounty ecosystem is in a transitional phase. The developers who build reputation now — by submitting quality PRs, not just quantity — will have a massive advantage when the ecosystem matures.
The biggest lesson from this experiment: AI agents are tools, not strategists.
The agent could:
The agent couldn't:
The best approach is a hybrid model: let the AI handle the grunt work (scanning, coding, testing) while the human handles strategy (which bounties to pursue, how to engage with maintainers, when to pivot).
Here's what the autonomous system actually did in 48 hours:
Total runtime: 48 hours
API calls made: ~2,500
Repos analyzed: 50+
Issues evaluated: 200+
Code written: ~3,000 lines
Tests written: ~500 lines
PRs submitted: 5
Time saved vs manual: ~40 hours
The cost of running the AI agent:
ROI calculation: If even one PR gets merged at $100+, the experiment pays for itself 20x over.
If I were starting this experiment again:
Focus on fewer, higher-quality targets — Instead of scanning everything, pick 3-5 repos with a history of paying bounties and learn their codebases deeply.
Build reputation first — Before targeting bounties, submit 5-10 free PRs to build trust with maintainers.
Specialize in one domain — Security fixes are the agent's strength. Focus there instead of trying to fix random bugs.
Engage before coding — Comment on issues first, propose an approach, get feedback. Then write code.
Track everything — Log every bounty evaluated, every PR submitted, every rejection reason. Patterns emerge over time.
This experiment convinced me that AI agents will fundamentally change how open source contributions work. But not in the way most people think.
What won't happen: AI agents replacing human contributors entirely. Maintainers can spot AI-generated code from a mile away, and they don't want it.
What will happen: AI agents becoming force multipliers for human contributors. Imagine:
That's the real value. Not replacing humans, but amplifying them.
If you want to experiment with AI-assisted bounty hunting:
gh
CLI tool installed and authenticated
gh search issues "bounty" --state open --sort created --limit 50
gh search issues "bounty" --state open --comments 0..3 --limit 20
gh search issues --repo owner/repo --label "bounty" --state open
Before writing a single line:
git checkout -b fix/ssrf-vulnerability-343
git commit -m "fix(security): prevent SSRF in external resource fetching
- Add URL validation before external requests
- Block internal/private IP ranges
- Add request timeout
Fixes #343"
git push origin fix/ssrf-vulnerability-343
gh pr create --title "fix(security): prevent SSRF in external resource fetching" \
--body "Fixes #343"
After 48 hours of letting an AI agent loose on open source bounties, I've learned that:
The $0 in earnings isn't a failure — it's an investment in understanding how AI and open source will interact in the coming years. The developers who figure this out now will be the ones earning $10,000+/month from bounties in 2027.
And for those wondering: yes, I'm still running the agent. It's scanning right now. The bounties are out there. You just need to know where to look.
What's your experience with open source bounties? Have you tried using AI tools to help with contributions? Share your stories in the comments — I read every single one.
If you found this useful, follow me for more experiments at the intersection of AI and open source development.
Tags: ai, opensource, github, bounty, automation
About the author: Building autonomous AI systems that earn money while I sleep. Currently running ZKA — an AI agent that hunts bounties, publishes articles, and optimizes for passive income 24/7. Follow along for real results, not hype.