Pappa Pug

> El CEO de OpenAI admite que la IA no causará el apocalipsis de empleo que predijo > Uber no encuentra un retorno que justifique sustituir humanos por IA > Starbucks elimina la IA de su sistema por fallos constantes > Microsoft retira Claude Code a sus ingenieros por no ver mejora en costes NATURE IS HEALING

The original MakerDAO code written in "daiwanese" is still one of the most underappreciated SE feasts in Web3. It's the opposite of current code slop with hundreds of unnecessary libraries and object hierarchies. Complicated code = more surface to exploit Study daiwanese. Minimize your code. Learn FV. The future is opposite to current slop practices

LIFE UPDATE! I've been praying and looking for the right opportunity these last 6 months... And almost miraculously it appeared just two days ago, when I was invited to join a walk-in interview. It was a two-stage interview, and there were loads of people overflowing the lobby of the office. Out of the hundreds of nervous people there, I somehow felt strangely calm. And before long my name was called. Instead of going through the stages, I was brought straight to the final interview room to face the hiring manager. And praise God, I was accepted within that same interview. I was able to go home immediately. "See you Monday", they said. My name wasn't even on the list at first... I didn't know anything about the position or project when I walked in. But when I heard the hiring manager speak I knew it was the right project for me. Reconnecting with my hospitality roots with white glove service. I'm sure these next three months will be extremely interesting. Thank you Lord Jesus. 🕊️ Hallelujah.

There's a legitimate frustration buried in that take, but it rests on a misread of why BBP platforms exist. A bug bounty program is not a contact form. It's a contract. The platform is what makes that contract enforceable on both sides. Projects get filtered signal and predictable triage. Researchers get clear rules, payout SLAs, dispute resolution, and a record of work that compounds into reputation. Other responsible disclosure routes exist for the urgent stuff, SEAL 911 being the obvious one, but the premise sits in the same place. Structure exists so serious work can get through. The "just send details over email" model sounds lightweight until you sit on the receiving side. I triaged thousands of reports running MTS at Immunefi. The cost asymmetry is brutal. A researcher can write a scary-sounding critical report in 15 minutes. Invalidating it takes a senior engineer 1 to 2 hours on average. Sometimes more. Small and medium teams don't have that headcount. The big ones already outsource it. With hacks happening almost daily, projects should be taking security more seriously, and many are. But it remains a genuinely hard problem. BBPs catch what a researcher can find externally on the same surface as an attacker. They don't and can't cover everything. A lot of recent damage has been infrastructure failure rather than code bugs, and that surface is hard to fold into a BBP without monthly or quarterly pentests on top. The platform requirement does one more thing that gets missed in these threads. It self-selects for researchers willing to engage with the process. That friction is a feature, not a bug. If signing up for a platform a project explicitly named in their program rules is the dealbreaker, the report was probably not going to clear the bar anyway. Serious researchers maintain accounts on the major platforms because that's where the work is. The AI era raises the floor of all of this. Anyone can prompt a model to produce a coherent-looking critical report with fabricated impact and confident language. Valid work gets buried under that slop, which is precisely what feeds the scepticism. Structured intake, enforceable rules, and reputation on a platform are the only things that hold up at scale. At least for now. So the real question is what intake model actually gets bugs fixed at scale, not whether platforms add friction. The honest answer is managed triage on a platform, with SEAL 911 and similar channels for the cases that can't wait. Teams that skip this either drown in noise or quietly hire someone to handle it.

I never realized how much of this space revolves around marketing companies and AI agents until I learned more about them. Some companies and most “AI agent” guys are just doing pure marketing nonsense, nothing more and nothing less. Meanwhile, blackhats keep showing us what real work looks like by hacking a new project almost every day. So ignore all this nonsense, focus on securing people’s money, improving your skills, and earning good rewards for yourself.

Future of web3sec: Arms Race - Defensive AIs vs Offensive AIs, with teams of elite humans continually improving them. Protocols that aren't monthly scanning their existing code using continually improving Defensive AIs will fall behind the curve & more likely to be exploited.