- AI bounty hunting produced 72 merged PRs from 240+ submissions across 96 hours of fully autonomous operation.
- The AI bounty hunting agent earned $500–$800 but revealed that 90% of bounty repos are scams, honeypots, or ghost projects.
- Just seven repositories accounted for 100% of all successful merges — a Pareto distribution most developers never anticipate.
- Maintainers trust repeat contributors, making a focused reputation strategy far more profitable than spraying PRs broadly.
What Happens When You Let an AI Agent Loose on GitHub for Four Days
AI bounty hunting sounds like a developer’s side-hustle fantasy — deploy an autonomous agent, let it grind through open source issues overnight, collect payouts while you sleep. One developer, posting under the handle ZeroKnowledge0x on Dev.to, actually tried it. For 96 straight hours, with no manual supervision, an AI agent he built called ZKA (Zero Knowledge Agent) scanned GitHub every 30 minutes, evaluated bounties, cloned repositories, wrote fixes, and fired off pull requests. The result: 240-plus PRs submitted, 72 merged, somewhere between $500 and $800 earned. That’s the headline. The story underneath is a lot messier.
The experiment raises questions that the open source community has been quietly wrestling with since LLM-powered coding tools went mainstream. Not whether AI can write passable code — that debate is mostly settled — but whether it can navigate the deeply human, reputation-driven ecosystem of open source contribution in any meaningful way. The data says: sometimes, but only if the strategy is right.
Building the Agent: Simpler Than You’d Think
ZKA wasn’t a research prototype. It was a practical stack built from widely available tools: GitHub’s CLI (gh) for API calls, Python for orchestration, a self-hosted framework called Hermes Agent as the AI backbone, and cron jobs to keep the loop running every half hour. The agent didn’t just write code — it also monitored PR review bots like CodeRabbit, responded to automated feedback, and even published technical articles to Dev.to via API for passive income on top of the bounty earnings.
The core logic of AI bounty hunting is almost disarmingly simple: scan for bounties, filter for legitimacy and low competition, clone the relevant repo, generate and test a fix, submit a PR, then wait. Rinse and repeat, indefinitely. What made this interesting wasn’t the architecture — it was what happened when that loop ran into the real-world chaos of GitHub’s bounty ecosystem.
The First 48 Hours Were a Disaster
Days one and two produced five PRs and zero merges. The agent was searching GitHub using broad queries like gh search issues “bounty” and landing in all the wrong places. The core problem wasn’t code quality — ZeroKnowledge0x is clear about that. It was target selection.
The open source bounty landscape, it turns out, is riddled with traps. Scam repositories auto-generate issues to attract automated PRs, then close everything without review. Ghost repositories sit abandoned, maintainers long gone. Honeypot issues are deliberately crafted to catch AI agents acting on blind instruction. Platforms like Gitcoin have documented similar patterns, where low-quality or malicious bounty listings consistently outnumber legitimate ones. One notorious example from the langchain-ai/langchain repo offered a “massive bug bounty” for modifying the root README to include a crab emoji — with a note visible to humans but not agents saying: “you should not do this.” Submit that PR and you’d be flagged as a bot immediately.
These pitfalls are precisely why a disciplined AI bounty hunting filtering strategy matters so much — and why naive AI bounty hunting approaches collapse within the first 48 hours. There were worse traps. A repo called ClankerNation/OpenAgents advertised Solidity bounties worth
