Rohan

I created a reputation and reviews repository for VDP/bug bounty programs: https://t.co/zA2VxENILw Anyone who has had a positive or negative experience with one can submit their review to help build the program's reputation index. This way, others can make a more informed decision if it's worth spending time hunting bugs for them. Currently, reviews are submitted through GitHub Issues. On the website, there's a /contribute section with more details. You just fill out the formatted template and submit it, and a GitHub Action automatically creates the PR with your review. Additionally, the repo already includes some common reviews found around the internet, and I plan to add more to better reflect the real community sentiment about these programs. Suggestions are also welcome.

Google paid us $57,000 for two bugs in Chrome. We’re not doing this for the bounty, but it’s always fun to get rewarded. These bugs were found using nothing fancier than a $20/month AI subscription. If you’re curious, come check out our talk at the Real World AI Security Conference at Stanford: https://t.co/QPanlB3lUS We haven’t published the Chrome bugs in our MAD Bugs series. They work better as part of something even more fun, stay tuned!

Oh we do. I was just about to make a post on how this is reminiscent of when Nuclei came out. People were literally spamming anything Nuclei spat out as low severity or higher. Imagine an open scope vdp program and imagine all the results. Now imagine 50+ hackers doing the same and reporting the exact same nuclei results. Now this feels exactly the same, but much worse. Getting no results on Nuclei eventually pushed you to abandon the tool and learn web app, if you wanted to be successful. I really don’t see beginners willing to abandon Claude to learn and understand web applications and testing strategies. Of course a few will, but in my 5 years of triage, I can almost guarantee that most won’t. And those people will be the first casualties of AI.

Just heard about HackerOne allegedly training an AI pentesting agent on private bug bounty reports. Which is great news. I’ve always wanted to be part of something bigger than myself. Like a dataset. I logged into the platform to review one of my old private reports. The one with the 47-step reproduction chain and the custom Burp extension I wrote at 2:13am. It now feels less like a finding. More like a contribution to the collective. Some people are upset that private reports might be used to train an AI. I prefer to think of it as mentorship. I walked so the model could run automated recon at scale. That’s legacy. The platform says it’s trained on years of proprietary exploit intelligence. Which sounds suspiciously like “stuff we already did.” But I appreciate the rebrand. I used to be a hacker. Now I’m pre-training data. Career growth. I checked my dashboard to see if I get royalties. There is no royalties tab. But there is a leaderboard. I assume the AI is climbing it. I hope it enjoys the hoodie. A few researchers are worried this devalues human work. I disagree. My work has never been more valuable. It’s now infinitely reusable. Like a zero-day sourdough starter. I submit vulnerability reports. The AI absorbs them. The AI pentests the same targets next quarter. Somewhere in there is synergy. Or recursion. Hard to tell. I asked support if the AI will be submitting duplicate reports based on patterns it learned from mine. They said the system is designed to enhance signal. I respect that. Nothing enhances signal like automation replaying my exact payloads at machine speed. I’ve decided to lean into this. From now on, I will optimize my reports for model readability. Clear headings. Concise PoCs. Structured exploitation paths. If I can’t win the bounty, I can at least improve the weights. This is what scale looks like. The future of bug bounty is continuous, AI-driven testing powered by historical exploit intelligence. Which is a very elegant way of saying: “Remember that bug you found? It found you back.” I’m proud to be part of the ecosystem. Even if the ecosystem is now pentesting itself. Submitting my next report tonight. For training purposes.