@BPIV400@cosmoslabs_io
The advisory https://t.co/JmlsmwKpmx still relies on a logging mitigation that you have failed to prove exists.
Please provide the exact log entries that unequivocally identify both the root cause of the issue and the specific malicious peer.
My standing request for a technical discussion regarding this workaround remains open and unaddressed.
Additionally, you closed a High-severity report from @ehdus829 with a bounty three days ago https://t.co/hFNdYvMAU9. This requires a public advisory and a patch so downstream projects can update their dependencies.
Please share the advisory.
The @jump_firedancer Audit Competition is live! ⚡️️
A $1,000,000 scaling reward pool is up for grabs for finding eligible bugs in the Firedancer V1 code
📅 April 9 - May 9 2026
💰 Scaling reward pool of up to $1,000,000
⌨️ Language: C
✅ KYC required
Get hunting: https://t.co/ITAKgX99OI
I Saved Injective's $500M. They Pay Me $50K.
I like hunting bugs on @immunefi . I'm decent at it.
- #1 — Attackathon | Stacks
- #2 — Attackathon | Stacks II
- #1 — Attackathon | XRPL Lending Protocol
- 1 Critical and 1 High from bug bounties (not counting this one)
Life was good. Then I found a Critical vulnerability in @injective .
This vulnerability allowed any user to directly drain any account on the chain. No special permissions needed. Over $500M in on-chain assets were at risk.
I reported it through Immunefi. The next day, a mainnet upgrade to fix the bug went to governance vote. The Injective team clearly understood the severity.
Then — silence. For 3 months. No follow up. No technical discussion. Nothing.
A few days ago, they notified me of their decision: $50K. The maximum payout for a Critical vulnerability in their bug bounty program is $500K. I disputed it. Silence again. No explanation for the reduced payout. No explanation for the 3 month ghost. No conversation at all. To be clear: the $50K has not been paid either.
I've seen others share bad experiences with bug bounty payouts recently. I never thought it would happen to me. I can't force them to do the right thing. But I won't let this be forgotten.
I will dedicate 10% of all my future bug bounty earnings to making sure this story stays visible — until Injective pays what I deserve.
Full Technical Report: https://t.co/lki2tL9bxw
After many tests around LLM use in bug hunting, and taking into consideration all my experiences/study in AI in the past few months I arrived at some conclusions. And I'll make some predictions:
1. Every new model will be followed by a wave of new bug findings in a short time that will get people very excited. Followed by a period of very few findings.
2. Those waves will get smaller and smaller, until basically there's no improvement.
3. The reason isn't that the code is becoming bug free -- it's because the % of bugs that **can be found** by LLMs is quite small.
Why?
1. The model has no idea how the code works -- you can catch it making ridiculous statements about the code all the time.
2. It has no idea how the EVM works either -- it misrepresents basic facts about the EVM all the time.
3. The way it finds bugs is basically hallucinating credible-sounding exploits. If there is a bug and it is typical enough, sometimes the hallucination matches reality.
4. Even very easy, very typical bugs, can be missed if slightly obscured.
5. Matching the actual threat model is hard so the severity is basically a random guess most of the time.
6. You can improve all of the above in two ways:
6.a. Make extensive prompts/skills telling exactly what it should look for. You just turned the supposedly generic auditor into a (very expensive and slow) static analyzer!
6.b. Force it to PoC and retry repeatedly, enforcing success conditions. This turns it into a (very expensive and slow) fuzzer!
You can combine both for better results.
7. It's useful but it is still just a static analyzer + fuzzer. An incremental expansion on the existing state of the art tooling. When you don't know what tools to use or dont have time to find out, they will be very useful -- and that's maybe a lot of value -- but it doesn't change the nature of what's going on.
8. People telling you it's doing what an auditor does, replaces humans, yadda yadda yadda -- they are either clueless, deluded, or deliberately misleading.
9. BTW humans hunting for bugs don't just try to look for known bug patterns -- the known bug patterns are compiled from findings by humans **who actually understood how the code works** and found the bug without anyone telling them what they should be looking for. That's the "research" part in Security Researcher.
10. Most of the known patterns were discovered independently by multiple SRs sometimes years before becoming public knowledge. Sometimes it becomes public knowledge after a black hat discovers it and steals millions (you probably dont want to be the target of that research!)
11. Any human or machine that keeps just trying to match known patterns against code bases will miss **A LOT** of bugs.
12. Finding bugs is crazy hard. Writing bug-free code is even harder. There is no silver bullet. AI isn't magical. Nor is it "automating human cognition".
13. Life is always unfair. More so in a bear market.
14. If you think someone will hand you on X a solution so you can find bugs easily OR so you don't have to spend a lot of effort/money on securing your code...
We'll things are not gonna work great for you.
I want to share a quick thought for people in cyber security. This will be my longest tweet ever.
I’ve spoken to many lately who are having an existential crisis from the constant posts about “the end of cybersecurity jobs.”
Yes, things are changing quickly. This is a significant moment for the tech industry. Change can be uncomfortable. But we’ve seen cycles like this before.
• When GitHub and open source took off, people said software engineers would disappear because code was free.
• When AWS and cloud computing emerged, people said infrastructure jobs would vanish.
• When fuzzing and SAST tools improved, people said vulnerability research would disappear.
• Virtualization would eliminate infrastructure jobs.
• Mobile computing was going to end desktop dev.
• Exploit mitigations would end exploitability. It didn't.
Each time automation improved, the amount of software grew faster than the automation. It does feel "different" this time as it's explosive.
Some roles will shrink:
• repetitive pentesting
• basic vulnerability scanning
• tier-1 SOC monitoring
But other areas are expanding rapidly:
• AI system security
• supply chain security
• identity architecture
• autonomous agent security
• critical infrastructure protection
Historically, every time we eliminate one class of bugs, new classes emerge. Right now people are vibe-coding entire systems, giving AI access to their machines, crossing trust boundaries, and deploying autonomous agents with excessive permissions. The legal and regulatory world is nowhere close to ready.
There will absolutely be new failure modes. Humans are amazing and always adapt, finding new ways to do things.
The worst thing you can do right now is fall into a doom loop.
...and I’ll be honest, I too have felt the "psychological paralysis" a few times thinking, “Is this time different?” It's especially impactful when it comes from someone I respect in the community. There are certainly unknowns, in an industry where we've become accustomed to predictability.
But... the majority of those reactions are usually driven by social media, not reality. Platforms like X reward engagement, and sensational doom posts spread faster than measured thinking.
If you see something like:
“Holy #$%^! Opus 66.6 just found every bug in Chrome and replaced 50 startups!”
…mute it and move on.
Instead:
Stay curious.
Learn the new technology.
Adapt your skillsets.
Build things.
We’ll get through this transition the same way we always have. If I'm wrong then Sam Altman better be right about UBI! :) I'm sure that if this tweet gets any engagement that I'll get some heat for it, but a good friend of mine reminds me often to focus on what you have control over. I'll revisit this tweet at DEF CON 40!
Being the 1st public auditing skills author I can share this:
• AI can't write skills as well as actual auditors
• Over-verbose skills (e.g more than 5000 tokens a page) are creating context rot
• Installing other people's skills is much scarier than npm install
I solved this by utilizing my profile site to host the Auditor Skills Registry
• Skills I personally use (including skills from @pashov , @trailofbits , @QuillAudits_AI , @auditmos myself etc.)
• Security reviewed, guardrails, AI reliance rating
• Easy and secure 1-click installation to claude code / copilot cli / gemini cli / codex
IMPORTANT: Like or repost if you plan on using it, to let me know if I should keep it live:
https://t.co/ZzcrI0GfEN
"... don’t let the hype convince you that understanding systems doesn’t matter anymore, and don’t skip the fundamentals because some guy on Twitter said AI will handle it."
by @ITSecurityguard
https://t.co/f4zbTAjXBi