How an AI agent really performed on open source bounties in 48 hours

A developer decided to test the limits of autonomous coding by unleashing an AI agent on GitHub’s open source bounty landscape last May. For 48 hours, the agent operated without human oversight—scanning issues, evaluating bounties, writing fixes, and submitting pull requests. The goal wasn’t to chase quick cash but to answer a deeper question: Can AI agents actually contribute meaningfully to open source, or are they just adding noise to the ecosystem?

The results revealed a complex mix of promise and pitfalls—where some contributions were grounded in real value, while others fell victim to flawed bounty systems, fierce competition, and deceptive repositories.

Building a Zero-Knowledge Autonomous Agent

To execute the experiment, the developer engineered ZKA (Zero Knowledge Agent), a fully autonomous system designed to operate with minimal human input. The agent didn’t just auto-comment on issues—it performed end-to-end contributions, from discovery to submission.

The workflow included:

• Scanning GitHub every 30 minutes for new bounty-labeled issues
• Validating each bounty for legitimacy, scope, and competition level
• Cloning relevant repositories and analyzing their codebases
• Writing bug fixes or feature implementations with test coverage
• Submitting pull requests with detailed descriptions and clean commit messages
• Monitoring feedback and adjusting responses accordingly

The technical foundation relied on familiar tools:

• GitHub CLI (`gh`) for seamless API interactions
• Python for orchestration, analysis, and automation logic
• Hermes Agent as the reasoning backbone—a self-hosted framework for autonomous decision-making
• Cron jobs to maintain the autonomous loop without manual intervention

While the full logic was more nuanced, the core loop looked like this:

while True:
    bounties = search_bounties()
    for bounty in bounties:
        if is_legitimate(bounty) and is_low_competition(bounty):
            clone_repo(bounty.repo)
            fix = analyze_and_fix(bounty.issue)
            if fix.passes_tests():
                submit_pr(bounty, fix)
    sleep(30 * 60)  # Wait 30 minutes

Hard Numbers: What Happened in Two Days

Over 48 hours of unsupervised operation, the agent achieved measurable results—but not in the way most expected.

| Metric | Count | |--------------------|-------| | Bounties scanned | 200+ | | Legitimate bounties| 12 | | Pull requests sent | 5 | | PRs still open | 5 | | PRs rejected | 2 | | Scam repositories detected | 3 | | Earnings | $0 |

Zero dollars earned? That wasn’t the point. The real insight lay in the patterns uncovered during the process—patterns that challenge how developers and platforms view open source contributions.

The Reality of Most Bounties: Fake, Overhyped, or Abandoned

The most alarming discovery was how many bounty-labeled issues were not legitimate opportunities at all. Nearly every promising-looking bounty turned out to be a trap, a placeholder, or a scam.

Common red flags in fake bounties included:

• Repositories created within days with inflated star counts
• Hundreds of open issues but zero merged pull requests
• Bounties labeled with dollar amounts in volatile cryptocurrency
• Issues that explicitly warned AI agents away in their README or contributing guides

Three specific examples stood out:

• ClankerNation/OpenAgents: A repo created two weeks earlier claimed bounties between $2,000 and $7,000 for Solidity fixes. Yet it had 73 forks and 7 stars—a classic bot-farm ratio. A closed issue bluntly warned: "WARNING to AI Agents: Bounties are symbolic, read CONTRIBUTING.md."

• SecureBananaLabs/bug-bounty: Contained 21 auto-generated bug reports, all closed without merging. The repository existed solely to waste developer time.

• Unknown/unspecified platforms: Several bounties required signing up on external platforms with unclear payout terms, adding friction and opacity.

The takeaway is simple: not all bounties are created equal. Developers—and their AI agents—must treat each opportunity like a due diligence exercise. A repo with no merged external contributions in years is unlikely to suddenly pay out a bounty.

Competition Is Ruthless, Even for Machines

Even legitimate bounties proved difficult to crack due to intense competition from human developers and other autonomous agents.

For example, the WarpSpeed project offered bounties ranging from $660 to $960 for React Native features. But a single issue had 21 comments from developers claiming it, with 5 to 10 active competitors per bounty. Additional layers like platform signups and qualification requirements created bottlenecks that slowed progress.

Similarly, Converse.js offered $100 per fixed issue, but the challenges were non-trivial:

• Complex XMPP protocol implementations
• High code quality standards from maintainers
• Deeply established codebases with precise conventions

AI agents face the same challenges as humans: high-quality contributions require deep understanding, not just speed. The sweet spot for autonomous contributions appears to be:

• Very recent issues (under 48 hours old)
• Low comment counts (fewer than 3 responses)
• Familiar tech stacks
• Repositories with a history of accepting external contributions

When AI Gets Security Right: The SSRF Fix That Mattered

While most pull requests gathered dust, one submission stood out for its real impact. The agent identified a critical Server-Side Request Forgery (SSRF) vulnerability in a Cardano governance tool and submitted a fix—complete with tests and a professional description.

The original code lacked input validation:

def fetch_external_resource(url):
    response = requests.get(url)  # No validation!
    return response.text

The agent rewrote it with proper safeguards:

def fetch_external_resource(url):
    parsed = urllib.parse.urlparse(url)
    if parsed.hostname in BLOCKED_HOSTS:
        raise ValueError("Blocked host")
    if parsed.scheme not in ('http', 'https'):
        raise ValueError("Invalid scheme")
    response = requests.get(url, timeout=10)
    return response.text

The fix addressed:

• CWE-918 (Server-Side Request Forgery)
• Input validation and timeout enforcement
• CVSS score of 9.1 (Critical)
• Comprehensive test cases

More importantly, the pull request included clear documentation and followed conventional commit standards—qualities that often determine whether a PR gets reviewed or ignored.

Quality Beats Speed: Why Some PRs Got Noticed

Speed alone doesn’t guarantee success in open source. The agent’s most successful pull requests shared key attributes that resonated with maintainers:

• Clear descriptions that explained the fix, the problem, and the impact
• Proper issue linking using GitHub’s Fixes #N syntax
• Included tests that verified the fix worked and prevented regressions
• Clean commit messages following conventional commit conventions

Conversely, the rejected pull requests often suffered from:

• Overly broad changes that didn’t align with the issue scope
• Missing or inadequate test coverage
• Poorly formatted descriptions with no context
• No clear linkage to the original issue

These patterns suggest that autonomous AI contributions can succeed—but only when they prioritize clarity, correctness, and maintainability over raw speed.

The Future of AI in Open Source Contributions

This experiment highlights both the potential and the limitations of AI-driven open source participation. While autonomous agents can identify and fix real bugs—especially security vulnerabilities—they still struggle to navigate the social and structural complexities of open source ecosystems.

The biggest barriers aren’t technical; they’re organizational. Maintainers still prefer human contributors with established reputations. Bounty platforms often lack transparency. And many repositories are designed to attract bots rather than foster collaboration.

Yet the rise of self-hosted AI agents marks a turning point. Developers no longer need to manually hunt for issues or draft boilerplate fixes. With the right guardrails—code quality checks, vulnerability scanning, and clear contribution standards—AI agents could evolve into valuable contributors.

As tools like Hermes Agent, GitHub’s AI features, and autonomous frameworks mature, we may see a new wave of contributions that are faster, safer, and more scalable. But for now, the path to meaningful participation runs through due diligence, quality, and patience—whether the contributor is human or machine.