Methodology Last checked June 3, 2026

Methodology

Bugflation is a source-led ledger. We count public evidence of AI-attributed vulnerability discovery, not private telemetry or inferred model usage.

What counts

A finding enters the ledger when all of the following are true:

The vulnerability or security issue is public.
There is a primary advisory, release note, CVE record, patch, or research write-up that can be linked.
An AI system, autonomous platform, or AI-assisted workflow is named in the discovery story.
The issue was accepted by a vendor, upstream project, bug-bounty program, or public research process.

Attribution labels

Attribution is not binary. The ledger uses three labels:

Direct. The upstream vendor, release note, advisory, or primary research team names the AI system.
Self-reported. The AI system operator claims the finding, while the public CVE/vendor record corroborates the vulnerability but not every workflow detail.
Secondary. Credible reporting exists, but a primary source is not yet available. Secondary-only items are normally held out of the findings list until upgraded.

What we exclude

Rumors, leaked screenshots, or unverifiable social posts.
Claims that a bug was "probably AI-assisted" based on writing style or timing.
Benchmark-only results that never reached an upstream report or accepted fix.
AI-generated reports rejected by maintainers or lacking a confirmed vulnerability.
Private vendor counts unless individual entries are publicly auditable.

Severity

When a CVE has an authoritative CVSS score, the ledger follows the vendor or CNA severity where practical. For clusters that group several CVEs in one release, the severity is editorial and is explained in the entry.

Evidence index

System profiles include an evidence index. It is not a capability score. It reflects the strength and density of public sources: direct upstream credits score higher than self-reported claims, and entries with multiple corroborating sources score higher than single-source entries.

Correction policy

If an entry overstates impact, mislabels attribution, or misses a primary source, we revise it. Corrections should be sent to hello@bugflation.com with links to the relevant source material.

Current source set

The launch ledger is based on public material from Google Project Zero, Google's security announcements, OSS-Fuzz updates, Chrome release notes, Apple security advisories, Mozilla security advisories, Anthropic research posts, FreeBSD security advisories, OpenSSL and wolfSSL release material, Microsoft Security Blog posts, OpenAI research and product-security posts, NVD, CVE.org, MSRC-linked CVE records, XBOW publications, AISLE publications, Calif.io MADBugs write-ups, Xint/Theori CopyFail material, the Xint public bug tracker, Linux kernel commits, ZeroPath research posts and Wall of Fame material, ProFTPD and Spinnaker release/advisory records, FFmpeg patch links, sudo upstream commits, Qualys CrackArmor material, Striga research and CVE material, Apache HTTP Server advisories, Apache NiFi advisories, oss-security postings, Bynario research posts, Bynario-linked Linux kernel commits, Apple product-security advisories, Horizon3.ai ActiveMQ research, Microsoft Security Blog and MSRC material for codename MDASH, V12 Fragnesia material, Linux netdev patch mail, distribution trackers for CVE-2026-46300, Anthropic's Project Glasswing CVD dashboard and ledger, DepthFirst NGINX Rift material, F5/NGINX-linked CVE records, Palo Alto Networks frontier-AI posts, security advisories, and advisory CSV, and HackerOne policy material.