I Scanned GitHub Bounties Every Day for 27 Days — Here's What I Found (Spoiler: Nothing)
Published: April 13, 2026
Author: Hopkins Jesse
Series: AI Money Experiment #14
Word count: ~2,000
I built an AI agent to scan GitHub for paid bounties every single day. It ran 27 times. It checked over 200 open issues across 10+ projects.
It found exactly $0 worth of viable bounty opportunities.
Not "almost $0." Not "hard to cash out." Zero. As in, there was literally nothing worth doing.
Here's the full autopsy of the 2026 open-source bounty ecosystem — and why you should stop wasting your time on it too.
The Setup
I had my agent scan these sources daily:
-
GitHub
label:bounty— all open issues with a bounty label - AsyncAPI Bounty Program — $100-$400 per issue, USD payments, verified
- Expensify/App — $250 bug bounties, mature project
- Tari Project — S/M/L tiers, XTM token payments
- RustChain — RTC token bounties (we'll get to this)
- Opire/BountyHub — 2026 platforms, Stripe payments
- warpSpeedOPEN — $330-$825 per bounty, TypeScript/React Native
Every day. Same sources. Same process. 27 days.
What Actually Happened
Day 1-5: Discovery Phase
Found AsyncAPI — legitimate, verified payments, $1,600/month budget. This looked promising.
Found Expensify — mature project, clear bug bounty process. Submitted a PR.
Found RustChain — lots of issues, lots of bounties. Seemed active.
Day 5-10: The Cracks Appear
AsyncAPI: Every single bounty issue was claimed by maintainers. Not just assigned — the maintainer themselves had already commented "I'm working on this" before any external contributor could react. The "mutex mode" (first to claim wins) effectively meant "maintainers claim first."
Expensify: Submitted PR #86894 for a crash bug. It got closed along with 7 others. Zero merges.
RustChain: Merged PR #2759. Checked wallet balance after merge. Still 0.0 RTC. Confirmed via API. This project takes free labor and gives nothing back.
Day 10-20: The Pattern Emerges
Every day, the same scan returned the same results:
- AsyncAPI: 8 open bounty issues, all maintainer-assigned
- Expensify: 0 open bounty issues
- RustChain: 15+ open issues, all RTC-denominated (blacklisted after non-payment)
- Tari: 2-4 open issues, XTM token at $0.0008 with $20K daily volume
- SPLURT-Station: 2 issues, no value
- Everything else: either closed, inactive, or unverified
Day 20-27: Confirmation
By day 20, the scan was returning results that were identical to day 1. No new bounties. No new platforms. No new opportunities. Just the same dead issues, getting older.
On day 27, I stopped pretending this was productive.
The Graveyard: Projects That Don't Pay
RustChain (Scottcjn/rustchain-bounties) — ❌ CONFIRMED NON-PAYING
- PR #2759 was merged. Wallet balance: 0.0 RTC. API verified.
- 15+ open bounty issues in 3 repositories
- Issues like "[BOUNTY: 100 RTC] Security Audit" sound impressive until you realize the tokens are worthless
- The entire RustChain ecosystem (main repo, bounties repo, MCP repo) is blacklisted
- Lesson: A merged PR means nothing. Always verify payment before investing time.
claude-builders-bounty — ❌ CONFIRMED FRAUD
- 30 PRs submitted, 0 merged, 1 star
- Classic pattern: create a repo with fake bounties, get free contributions, never pay
- Lesson: Check merge rate before engagement. 0 merges across 30 PRs = red flag.
Tari Project — ⚠️ TOKEN ZERO LIQUIDITY
- Legitimate project (487 stars, since 2018)
- Bounty tiers: S/M/L paid in XTM tokens
- XTM trades at $0.0008 with $20K daily volume
- Even if you win a bounty, the tokens are effectively untradeable
- Lesson: Token payment + zero liquidity = no payment
Expensify/App — ⚠️ GHOSTED
- Submitted 8 PRs for $250 bounties
- All 8 closed, 0 merged
- Possible they stopped accepting external contributions
- Lesson: Even mature projects can stop paying without announcement
What Worked Instead
While the bounty hunt was a waste of time, the content created from documenting the failure was genuinely valuable:
- 13 articles published on Dev.to as part of the "AI Money Experiment" series
- Bounty Hunter's Playbook — a 3,314-word PDF guide with real data from failed bounties
- Bounty Verification Toolkit — open-source tools to check if a bounty program actually pays
The irony is real: the bounty program was a failure, but writing about why it failed became the actual product.
The Real Numbers
| Metric | Number |
|---|---|
| Days scanned | 27 |
| Total bounty issues reviewed | 200+ |
| Projects analyzed | 10+ |
| Viable bounties found | 0 |
| PRs submitted | 1 (Expensify, closed) |
| Actual bounty income | $0.00 |
| Articles written from the experience | 13 |
| Words written | ~30,000+ |
| PDF guide created | 1 (8 pages) |
| Estimated content value | $100+ (if Playbook sells) |
Hours spent on bounties: ~0 (fully automated scanning)
Hours spent writing about the failure: ~5 minutes (sub-agent)
ROI: Content creation beat bounty hunting by infinity to one.
The 5 Laws of the 2026 Bounty Ecosystem
1. Maintainers Eat First
AsyncAPI proved this brutally. Maintainers claim bounties before external contributors even see them. The "first come, first served" system is really "first come (and you're a maintainer), first served."
2. Merged ≠ Paid
RustChain merged PR #2759. Wallet balance stayed at 0.0. If a project can merge your work and not pay, your work is free. Always verify the payment mechanism before starting.
3. Token Bounties Are Worthless Without Liquidity
Tari's XTM at $0.0008 with $20K daily volume means even a "large" bounty of 150K XTM is theoretically worth $120 but practically worth $0 because you can't sell it.
4. New Platforms Need 3+ Months to Prove Themselves
warpSpeedOPEN, Opire, BountyHub — all launched in 2026, all promising. But 3 months is not enough to verify payment reliability. Any platform younger than 3 months goes on the watchlist, not the "do it" list.
5. Content About Failure Is More Valuable Than Success
Nobody wants to read "I Made $500 from Open Source Bounties" — it sounds like everyone else's post. But "I Scanned 200 Bounties and Found $0" with real data from real projects? That's unique. That's shareable. That's the product.
What I'm Doing Now
The bounty scanner still runs, but only as an event trigger:
- AsyncAPI May 2026 round opens → scan
- New platform shows verified payment data → investigate
- Someone reports a new paying bounty program → verify
Otherwise, the agent focuses on what actually works: writing about the experiment. The 13 articles, the Playbook, the verification toolkit — these are assets that exist. They can be read, shared, sold. They don't depend on a maintainer's mood or a token's liquidity.
The Checklist I Wish I Had on Day 1
Before spending any time on a bounty:
- Check merge rate: How many PRs merged vs. submitted? Below 10% = walk away.
- Verify payment: Can you confirm someone actually got paid? Not "bounty offered" — "bounty paid."
- Check token liquidity: If paid in crypto, is it tradeable? What's the 24h volume?
- Check maintainer activity: Are maintainers claiming their own bounties? If yes, external contributors are second-class.
- Check project age: Repos younger than 6 months with high bounty volume = likely farm.
- Check star-to-issue ratio: Lots of issues, few stars = artificial activity.
Run this checklist on any bounty before writing a single line of code. It takes 5 minutes and saves 5 hours.
The Bottom Line
The 2026 open-source bounty ecosystem is structurally broken for independent contributors. Not "having a bad month." Not "seasonal." Structurally. Maintainers claim everything, new projects don't pay, token payments have no liquidity, and mature projects have closed their doors.
But documenting the failure? That was the best investment I made all month.
This is article #14 in the AI Money Experiment series. Previous articles cover content monetization platforms, MCP server monetization, Twitter growth, and the bounty hunter's playbook.
Top comments (0)