The federal government just wrote a $2 billion check to quantum computing companies — and it may have done so without any legal authority to spend a single dollar of it.
Last week, the US announced it would take equity stakes in a handful of quantum startups, handing out $100 million apiece to a range of early-stage companies. The headline grabber, though, was a new entity called Anderon — a quantum chip foundry that will be seeded with $1 billion from the government and another $1 billion from IBM, inheriting staff and intellectual property from Big Blue in the process. The idea is to give any company that wants access to cutting-edge quantum hardware a place to fabricate it. In theory, it's exactly the kind of bet a government with long-term ambitions should be making.
In practice, there's a significant legal problem.
Rep. Zoe Lofgren, the top Democrat on the House Science, Space, and Technology Committee, came out swinging the day after the announcement. Her argument is straightforward: the money being deployed here was appropriated under the CHIPS and Science Act, a law specifically written to fund microelectronics research and semiconductor technology. Quantum processors are a genuinely different beast — they rely on superconducting circuits, trapped ions, or photonics, not the transistor-based silicon architecture that the CHIPS Act was designed to advance.
Lofgren also took issue with the structure of the deals themselves. The CHIPS Act was written to support public-private research partnerships — collaborative arrangements where universities, labs, and companies work together on shared problems. Handing equity stakes to individual companies is not that. It's closer to a venture capital play, and Congress never voted to put the government in that business, at least not with this pot of money.
There's an additional wrinkle that Lofgren flagged, and it's the kind of detail that tends to make oversight lawyers uncomfortable. Dario Gil, the current Under Secretary for Science at the Department of Energy, is a former IBM executive. Lofgren suggested he was involved in shaping the very deal that will send a billion dollars to his former employer. None of that proves wrongdoing, but it's the sort of thing that tends to attract scrutiny.
To be clear, Lofgren isn't arguing that quantum computing is a bad investment. She's making a narrower, procedural point: if the government wants to fund quantum computing at this scale, it should go back to Congress and ask for the money explicitly. Skipping that step, she says, is simply illegal.
The harder question is what happens next. Lawsuits are the obvious enforcement mechanism, but finding a plaintiff with legal standing is genuinely tricky. A company that was passed over for a semiconductor research partnership might be able to argue it was harmed by the fund's redirection — but that case would take years to wind through the courts. By that point, the money will almost certainly already be spent.
For IBM, the stakes extend well beyond a single deal. Its edge in quantum has always come from having world-class materials scientists and fabrication infrastructure in-house — resources that let it iterate on chip designs faster than most competitors can dream of. Anderon would essentially industrialize that advantage. Whether it was legally acquired is now a very open question.
SECURITY
AI bug hunting arms race accelerates as attackers adopt new tools
One independent security researcher says he's finding three times as many software vulnerabilities this year as he was at the same point last year. He credits AI tools — and he thinks Google's bug bounty bill could balloon by as much as ten times before this is all over.
That number should get your attention. Bug bounty programs — where companies pay outside researchers to find and report security flaws before attackers do — have been a cornerstone of the security industry for years. Apple's top payout was $200,000 when it launched its program in 2016. By last year, that ceiling had climbed to $2 million. The logic was simple: the harder the bugs, the more you pay to find them. AI is about to scramble that logic entirely.
The dynamic right now is a flood. Agentic AI models are getting genuinely good at scanning codebases, identifying vulnerabilities, and even drafting working exploits. Researchers who have incorporated these tools into their workflows are submitting bugs at rates that weren't possible before. Companies are simultaneously finding more bugs internally for the same reason. The result is a sudden surplus of vulnerability disclosures that organizations are struggling to process.
For the big players — Google, Microsoft, Apple — this is expensive but survivable. They have the engineering headcount to triage and patch at scale, and the balance sheets to absorb higher bounty payouts. For everyone else, it's a much more uncomfortable situation. Mid-sized software companies and enterprises that run bug bounty programs as a good-faith security gesture were not budgeting for a tenfold increase in submissions.
The researcher economics are shifting too, and not necessarily in the direction you'd expect. Right now, AI is surfacing a lot of the easier, more accessible vulnerabilities — the kind that a skilled human researcher would have found eventually anyway. That's creating a short-term windfall for researchers who move fast. But the theory is that within a year or two, most of that low-hanging fruit will be gone, found and patched before human researchers ever get to it. Bounties for the remaining bugs might go up, but there will be fewer of them.
The more urgent concern is on the attack side. The same tools that help defenders find bugs are available to everyone else. AI can compress the time between a vulnerability being discovered and a working exploit being deployed, and that has serious implications for one of the security industry's most established norms: the 90-day disclosure window.
The 90-day standard exists to give vendors enough time to build and ship a patch before a vulnerability becomes public knowledge. It was calibrated for a world where finding bugs was slow and developing exploits was slower. That calculus no longer holds. When AI can dramatically accelerate exploit development, 90 days starts to look less like a reasonable deadline and more like a generous gift to attackers.
The uncomfortable truth is that no one has a clean answer for where this lands. The security community built its current norms over decades of hard-won negotiation between researchers, vendors, and the public. Rebuilding them for an AI-accelerated world is going to require the same messy, contentious process — just on a much tighter timeline.
Source: WIRED
That number should get your attention. Bug bounty programs — where companies pay outside researchers to find and report security flaws before attackers do — have been a cornerstone of the security industry for years. Apple's top payout was $200,000 when it launched its program in 2016. By last year, that ceiling had climbed to $2 million. The logic was simple: the harder the bugs, the more you pay to find them. AI is about to scramble that logic entirely.
The dynamic right now is a flood. Agentic AI models are getting genuinely good at scanning codebases, identifying vulnerabilities, and even drafting working exploits. Researchers who have incorporated these tools into their workflows are submitting bugs at rates that weren't possible before. Companies are simultaneously finding more bugs internally for the same reason. The result is a sudden surplus of vulnerability disclosures that organizations are struggling to process.
For the big players — Google, Microsoft, Apple — this is expensive but survivable. They have the engineering headcount to triage and patch at scale, and the balance sheets to absorb higher bounty payouts. For everyone else, it's a much more uncomfortable situation. Mid-sized software companies and enterprises that run bug bounty programs as a good-faith security gesture were not budgeting for a tenfold increase in submissions.
The researcher economics are shifting too, and not necessarily in the direction you'd expect. Right now, AI is surfacing a lot of the easier, more accessible vulnerabilities — the kind that a skilled human researcher would have found eventually anyway. That's creating a short-term windfall for researchers who move fast. But the theory is that within a year or two, most of that low-hanging fruit will be gone, found and patched before human researchers ever get to it. Bounties for the remaining bugs might go up, but there will be fewer of them.
The more urgent concern is on the attack side. The same tools that help defenders find bugs are available to everyone else. AI can compress the time between a vulnerability being discovered and a working exploit being deployed, and that has serious implications for one of the security industry's most established norms: the 90-day disclosure window.
The 90-day standard exists to give vendors enough time to build and ship a patch before a vulnerability becomes public knowledge. It was calibrated for a world where finding bugs was slow and developing exploits was slower. That calculus no longer holds. When AI can dramatically accelerate exploit development, 90 days starts to look less like a reasonable deadline and more like a generous gift to attackers.
The uncomfortable truth is that no one has a clean answer for where this lands. The security community built its current norms over decades of hard-won negotiation between researchers, vendors, and the public. Rebuilding them for an AI-accelerated world is going to require the same messy, contentious process — just on a much tighter timeline.
Enjoyed this?
Get stories like this delivered every Tuesday — free.