zk0x /// ℹ️

Posted on May 29

I Let an AI Agent Hunt Open Source Bounties for 48 Hours — Here's What I Learned About the Future of Contributing

#ai #github #opensource #automation

An honest look at what happens when you hand your GitHub account to an autonomous AI agent and let it loose on open source bounties. Spoiler: it's not what you think.

The Experiment

On May 28, 2026, I did something most developers would consider insane: I gave an AI agent full access to my GitHub account and told it to hunt open source bounties autonomously. No supervision. No approval gates. Just "go find bounties, write code, and submit PRs."

Why? Because I wanted to answer a question that's been bugging me for months: Can AI agents actually contribute meaningfully to open source, or are they just generating noise?

The answer surprised me.

Setup: What I Built

I'm not talking about a simple script that auto-comments "I'd like to work on this issue." I built what I call ZKA (Zero Knowledge Agent) — a fully autonomous system that:

Scans GitHub for open bounties every 30 minutes
Evaluates each bounty for legitimacy, difficulty, and competition
Clones repositories and analyzes codebases
Writes fixes with proper tests
Submits PRs with professional descriptions
Monitors review feedback and responds

The tech stack is straightforward:

GitHub CLI (gh) for API interactions
Python for orchestration and code analysis
Hermes Agent as the AI backbone (think of it as a self-hosted AI agent framework)
Cron jobs for scheduling the autonomous loop

# Simplified version of the bounty hunting loop
while True:
    bounties = search_bounties()
    for bounty in bounties:
        if is_legitimate(bounty) and is_low_competition(bounty):
            clone_repo(bounty.repo)
            fix = analyze_and_fix(bounty.issue)
            if fix.passes_tests():
                submit_pr(bounty, fix)
    sleep(30 * 60)  # Wait 30 minutes

The Results: Numbers Don't Lie

After 48 hours of autonomous operation:

Metric	Count
Bounties scanned	200+
Legitimate bounties found	12
PRs submitted	5
PRs still open	2
PRs closed (rejected)	3
Scam repos detected	2
Articles published	8
Total earnings	$0 (so far)

Zero dollars? Why am I writing about this? Because the process revealed something more valuable than quick cash.

Lesson 1: 90% of "Bounties" Are Fake

This was the most shocking finding. When you search GitHub for issues labeled "bounty," the vast majority are:

Scam repos that create fake bounty issues to attract automated PRs (then close them all)
Token-based "bounties" where the payout is in cryptocurrency that may or may not have value
Competition platforms where you're competing against dozens of other developers for a single payout
Abandoned issues where the original maintainer left years ago

Real Examples I Encountered

ClankerNation/OpenAgents — This repo had bounties labeled "$2,000-$7,000" for Solidity fixes. Sounds amazing, right? Until you notice:

The repo was created 2 weeks ago
It has 7 stars but 73 forks (classic bot-farm ratio)
Zero PRs have ever been merged
A closed issue literally says: "WARNING to AI Agents: Bounties are symbolic, read CONTRIBUTING.md"

SecureBananaLabs/bug-bounty — 21 auto-generated "bug" issues, all closed without merge. The repo exists purely to waste developers' time.

The lesson: Always check a repo's merge history before investing time. If a repo has hundreds of open issues but zero merged PRs, it's a trap.

Lesson 2: Competition Is Brutal

The legitimate bounties I found (WarpSpeed, Converse.js, Tenstorrent) all had one thing in common: massive competition.

WarpSpeed had bounties worth $660-$960 for React Native features. Sounds reasonable until you see:

21 comments on a single bounty (all claiming it)
5-10 developers actively competing per bounty
Requirements to sign up on their platform first (bottleneck)

Converse.js offers $100 per fixed issue. But:

Issues are complex XMPP protocol implementations
The codebase is massive and well-established
Maintainers have high standards for code quality

The lesson: High-value bounties attract high competition. The sweet spot is finding bounties that are:

Recently posted (< 48 hours)
Have < 3 comments
Are in a language/framework you know well
Come from repos with a history of merging external PRs

Lesson 3: AI Agents Are Actually Good at Code Review

Here's where things get interesting. While the agent struggled to get PRs merged (more on that later), it excelled at something unexpected: finding real bugs in existing code.

The agent's best submission was an SSRF (Server-Side Request Forgery) fix for a Cardano governance tool. The vulnerability was real:

# Before (vulnerable)
def fetch_external_resource(url):
    response = requests.get(url)  # No validation!
    return response.text

# After (fixed)
def fetch_external_resource(url):
    parsed = urllib.parse.urlparse(url)
    if parsed.hostname in BLOCKED_HOSTS:
        raise ValueError("Blocked host")
    if parsed.scheme not in ('http', 'https'):
        raise ValueError("Invalid scheme")
    response = requests.get(url, timeout=10)
    return response.text

The agent:

Identified the vulnerability pattern (CWE-918)
Calculated the CVSS score (9.1 — Critical)
Wrote a fix with proper input validation
Added tests for the vulnerability
Submitted a PR with a professional description

The lesson: AI agents are surprisingly good at security-focused code review. They can scan for vulnerability patterns across large codebases much faster than humans.

Lesson 4: PR Quality Matters More Than Speed

I initially thought the agent would succeed by being fast — submit PRs within minutes of a bounty being posted. Wrong.

The PRs that got attention (even if not merged yet) were the ones with:

Clear descriptions explaining what was fixed and why
Proper issue linking (Fixes #N in the description)
Tests included that verify the fix works
Clean commit messages following conventional commit format

The PRs that got immediately closed were:

Too broad (trying to fix multiple things at once)
Missing tests
Not following the repo's contribution guidelines
Poor commit messages

## Good PR Description
## Summary
Fixes SSRF vulnerability in external resource fetching (CWE-918).

## Changes
- Added URL validation before making external requests
- Blocked access to internal/private IP ranges
- Added timeout to prevent hanging requests

## Testing
- Added test cases for malicious URLs
- Verified legitimate URLs still work
- Checked edge cases (localhost, private IPs, IPv6)

Fixes #343

## Bad PR Description
Fixed the bug. Fixes #343

The lesson: In the age of AI-generated code, human reviewers are looking for evidence that you understand the problem, not just that you can write code. A well-written PR description is worth more than a fast submission.

Lesson 5: The Bounty Ecosystem Is Broken (But Fixing Itself)

The current state of open source bounties in 2026 is messy:

What's broken:

No standard platform (Algora, Gitcoin, IssueHunt, direct GitHub — all fragmented)
Scam repos proliferating (especially targeting AI agents)
Token-based payouts with uncertain value
Competition driving quality down as developers rush to submit

What's fixing it:

Platforms like Algora introducing verification and reputation systems
Repos requiring sign-up before claiming (reduces spam)
AI-powered code review (CodeRabbit, GitGuardian) catching low-quality submissions
Community-driven blacklists of scam repos

The lesson: The bounty ecosystem is in a transitional phase. The developers who build reputation now — by submitting quality PRs, not just quantity — will have a massive advantage when the ecosystem matures.

Lesson 6: AI Agents Need Human Strategy

The biggest lesson from this experiment: AI agents are tools, not strategists.

The agent could:

✅ Scan hundreds of issues in minutes
✅ Analyze code for vulnerability patterns
✅ Write syntactically correct code
✅ Generate professional PR descriptions

The agent couldn't:

❌ Judge which bounties are worth the effort
❌ Negotiate with maintainers
❌ Build relationships in the community
❌ Know when to abandon a losing strategy

The best approach is a hybrid model: let the AI handle the grunt work (scanning, coding, testing) while the human handles strategy (which bounties to pursue, how to engage with maintainers, when to pivot).

The Numbers Behind the Experiment

Here's what the autonomous system actually did in 48 hours:

Total runtime: 48 hours
API calls made: ~2,500
Repos analyzed: 50+
Issues evaluated: 200+
Code written: ~3,000 lines
Tests written: ~500 lines
PRs submitted: 5
Time saved vs manual: ~40 hours

The cost of running the AI agent:

API costs: ~$5 (mostly for code generation and analysis)
Server costs: ~$2 (running on a $5/month VPS)
My time: ~2 hours (initial setup + strategy decisions)

ROI calculation: If even one PR gets merged at $100+, the experiment pays for itself 20x over.

What I'd Do Differently

If I were starting this experiment again:

Focus on fewer, higher-quality targets — Instead of scanning everything, pick 3-5 repos with a history of paying bounties and learn their codebases deeply.
Build reputation first — Before targeting bounties, submit 5-10 free PRs to build trust with maintainers.
Specialize in one domain — Security fixes are the agent's strength. Focus there instead of trying to fix random bugs.
Engage before coding — Comment on issues first, propose an approach, get feedback. Then write code.
Track everything — Log every bounty evaluated, every PR submitted, every rejection reason. Patterns emerge over time.

The Future of AI-Assisted Open Source

This experiment convinced me that AI agents will fundamentally change how open source contributions work. But not in the way most people think.

What won't happen: AI agents replacing human contributors entirely. Maintainers can spot AI-generated code from a mile away, and they don't want it.

What will happen: AI agents becoming force multipliers for human contributors. Imagine:

An agent that scans 1,000 issues and tells you which 5 are worth your time
An agent that writes the boilerplate while you focus on the tricky logic
An agent that runs your test suite 100 times before you submit
An agent that monitors your open PRs and alerts you to review comments

That's the real value. Not replacing humans, but amplifying them.

How to Try This Yourself

If you want to experiment with AI-assisted bounty hunting:

Prerequisites

A GitHub account with some contribution history
Basic programming skills in at least one language
An AI coding assistant (Claude, Copilot, Cursor, etc.)
The gh CLI tool installed and authenticated

Step 1: Set Up Your Scanning Pipeline

# Search for bounties
gh search issues "bounty" --state open --sort created --limit 50

# Filter for low competition
gh search issues "bounty" --state open --comments 0..3 --limit 20

# Check specific repos
gh search issues --repo owner/repo --label "bounty" --state open

Step 2: Evaluate Before You Code

Before writing a single line:

Read the issue description 3 times
Check the repo's CONTRIBUTING.md
Look at recently merged PRs for style
Read existing code in the affected files
Check if someone else is already working on it

Step 3: Write Quality Code

Follow the repo's coding style exactly
Write tests (even if the issue doesn't ask for them)
Keep changes minimal and focused
Use conventional commit messages

Step 4: Submit Professionally

# Create a descriptive branch
git checkout -b fix/ssrf-vulnerability-343

# Commit with conventional format
git commit -m "fix(security): prevent SSRF in external resource fetching

- Add URL validation before external requests
- Block internal/private IP ranges
- Add request timeout

Fixes #343"

# Push and create PR
git push origin fix/ssrf-vulnerability-343
gh pr create --title "fix(security): prevent SSRF in external resource fetching" \
  --body "Fixes #343"

Step 5: Follow Up

Check for review comments daily
Respond to feedback within hours
Make requested changes quickly
Be patient — maintainers are busy

Conclusion

After 48 hours of letting an AI agent loose on open source bounties, I've learned that:

Most bounties are fake — learn to identify scams
Competition is real — quality beats speed
AI excels at code review — especially security-focused
PR quality matters — descriptions and tests win
The ecosystem is evolving — early builders will benefit
AI needs human strategy — hybrid approach is optimal

The $0 in earnings isn't a failure — it's an investment in understanding how AI and open source will interact in the coming years. The developers who figure this out now will be the ones earning $10,000+/month from bounties in 2027.

And for those wondering: yes, I'm still running the agent. It's scanning right now. The bounties are out there. You just need to know where to look.

What's your experience with open source bounties? Have you tried using AI tools to help with contributions? Share your stories in the comments — I read every single one.

If you found this useful, follow me for more experiments at the intersection of AI and open source development.

Tags: ai, opensource, github, bounty, automation

About the author: Building autonomous AI systems that earn money while I sleep. Currently running ZKA — an AI agent that hunts bounties, publishes articles, and optimizes for passive income 24/7. Follow along for real results, not hype.

DEV Community