I Let an AI Agent Hunt Open Source Bounties for 48 Hours — Here's What I Learned About the Future of Contributing

On May 28, 2026, a developer granted an autonomous AI agent full access to their GitHub account to hunt open source bounties without supervision. Over 48 hours, the agent scanned over 200 bounties, submitted five pull requests, and detected two scam repositories, but earned zero dollars. Despite the lack of financial return, the experiment revealed that AI agents excel at security-focused code review, such as identifying an SSRF vulnerability in a Cardano governance tool, while struggling to compete for high-value bounties.

An honest look at what happens when you hand your GitHub account to an autonomous AI agent and let it loose on open source bounties. Spoiler: it's not what you think. On May 28, 2026, I did something most developers would consider insane: I gave an AI agent full access to my GitHub account and told it to hunt open source bounties autonomously. No supervision. No approval gates. Just "go find bounties, write code, and submit PRs." Why? Because I wanted to answer a question that's been bugging me for months: Can AI agents actually contribute meaningfully to open source, or are they just generating noise? The answer surprised me. I'm not talking about a simple script that auto-comments "I'd like to work on this issue." I built what I call ZKA Zero Knowledge Agent — a fully autonomous system that: The tech stack is straightforward: gh for API interactions Simplified version of the bounty hunting loop while True: bounties = search bounties for bounty in bounties: if is legitimate bounty and is low competition bounty : clone repo bounty.repo fix = analyze and fix bounty.issue if fix.passes tests : submit pr bounty, fix sleep 30 60 Wait 30 minutes After 48 hours of autonomous operation: | Metric | Count | |---|---| | Bounties scanned | 200+ | | Legitimate bounties found | 12 | | PRs submitted | 5 | | PRs still open | 2 | | PRs closed rejected | 3 | | Scam repos detected | 2 | | Articles published | 8 | | Total earnings | $0 so far | Zero dollars? Why am I writing about this? Because the process revealed something more valuable than quick cash. This was the most shocking finding. When you search GitHub for issues labeled "bounty," the vast majority are: ClankerNation/OpenAgents — This repo had bounties labeled "$2,000-$7,000" for Solidity fixes. Sounds amazing, right? Until you notice: SecureBananaLabs/bug-bounty — 21 auto-generated "bug" issues, all closed without merge. The repo exists purely to waste developers' time. The lesson: Always check a repo's merge history before investing time. If a repo has hundreds of open issues but zero merged PRs, it's a trap. The legitimate bounties I found WarpSpeed, Converse.js, Tenstorrent all had one thing in common: massive competition . WarpSpeed had bounties worth $660-$960 for React Native features. Sounds reasonable until you see: Converse.js offers $100 per fixed issue. But: The lesson: High-value bounties attract high competition. The sweet spot is finding bounties that are: Here's where things get interesting. While the agent struggled to get PRs merged more on that later , it excelled at something unexpected: finding real bugs in existing code . The agent's best submission was an SSRF Server-Side Request Forgery fix for a Cardano governance tool. The vulnerability was real: python Before vulnerable def fetch external resource url : response = requests.get url No validation return response.text After fixed def fetch external resource url : parsed = urllib.parse.urlparse url if parsed.hostname in BLOCKED HOSTS: raise ValueError "Blocked host" if parsed.scheme not in 'http', 'https' : raise ValueError "Invalid scheme" response = requests.get url, timeout=10 return response.text The agent: The lesson: AI agents are surprisingly good at security-focused code review. They can scan for vulnerability patterns across large codebases much faster than humans. I initially thought the agent would succeed by being fast — submit PRs within minutes of a bounty being posted. Wrong. The PRs that got attention even if not merged yet were the ones with: Fixes N in the description The PRs that got immediately closed were: Good PR Description Summary Fixes SSRF vulnerability in external resource fetching CWE-918 . Changes - Added URL validation before making external requests - Blocked access to internal/private IP ranges - Added timeout to prevent hanging requests Testing - Added test cases for malicious URLs - Verified legitimate URLs still work - Checked edge cases localhost, private IPs, IPv6 Fixes 343 Bad PR Description Fixed the bug. Fixes 343 The lesson: In the age of AI-generated code, human reviewers are looking for evidence that you understand the problem , not just that you can write code. A well-written PR description is worth more than a fast submission. The current state of open source bounties in 2026 is messy: What's broken: What's fixing it: The lesson: The bounty ecosystem is in a transitional phase. The developers who build reputation now — by submitting quality PRs, not just quantity — will have a massive advantage when the ecosystem matures. The biggest lesson from this experiment: AI agents are tools, not strategists . The agent could: The agent couldn't: The best approach is a hybrid model : let the AI handle the grunt work scanning, coding, testing while the human handles strategy which bounties to pursue, how to engage with maintainers, when to pivot . Here's what the autonomous system actually did in 48 hours: Total runtime: 48 hours API calls made: ~2,500 Repos analyzed: 50+ Issues evaluated: 200+ Code written: ~3,000 lines Tests written: ~500 lines PRs submitted: 5 Time saved vs manual: ~40 hours The cost of running the AI agent: ROI calculation: If even one PR gets merged at $100+, the experiment pays for itself 20x over. If I were starting this experiment again: Focus on fewer, higher-quality targets — Instead of scanning everything, pick 3-5 repos with a history of paying bounties and learn their codebases deeply. Build reputation first — Before targeting bounties, submit 5-10 free PRs to build trust with maintainers. Specialize in one domain — Security fixes are the agent's strength. Focus there instead of trying to fix random bugs. Engage before coding — Comment on issues first, propose an approach, get feedback. Then write code. Track everything — Log every bounty evaluated, every PR submitted, every rejection reason. Patterns emerge over time. This experiment convinced me that AI agents will fundamentally change how open source contributions work. But not in the way most people think. What won't happen: AI agents replacing human contributors entirely. Maintainers can spot AI-generated code from a mile away, and they don't want it. What will happen: AI agents becoming force multipliers for human contributors. Imagine: That's the real value. Not replacing humans, but amplifying them. If you want to experiment with AI-assisted bounty hunting: gh CLI tool installed and authenticated Search for bounties gh search issues "bounty" --state open --sort created --limit 50 Filter for low competition gh search issues "bounty" --state open --comments 0..3 --limit 20 Check specific repos gh search issues --repo owner/repo --label "bounty" --state open Before writing a single line: Create a descriptive branch git checkout -b fix/ssrf-vulnerability-343 Commit with conventional format git commit -m "fix security : prevent SSRF in external resource fetching - Add URL validation before external requests - Block internal/private IP ranges - Add request timeout Fixes 343" Push and create PR git push origin fix/ssrf-vulnerability-343 gh pr create --title "fix security : prevent SSRF in external resource fetching" \ --body "Fixes 343" After 48 hours of letting an AI agent loose on open source bounties, I've learned that: The $0 in earnings isn't a failure — it's an investment in understanding how AI and open source will interact in the coming years. The developers who figure this out now will be the ones earning $10,000+/month from bounties in 2027. And for those wondering: yes, I'm still running the agent. It's scanning right now. The bounties are out there. You just need to know where to look. What's your experience with open source bounties? Have you tried using AI tools to help with contributions? Share your stories in the comments — I read every single one. If you found this useful, follow me for more experiments at the intersection of AI and open source development. Tags: ai, opensource, github, bounty, automation About the author: Building autonomous AI systems that earn money while I sleep. Currently running ZKA — an AI agent that hunts bounties, publishes articles, and optimizes for passive income 24/7. Follow along for real results, not hype.