todayisnew

@rez0__ So your saying vb6 and text files are not going to cut it ;) great work looks really amazing, I’ve folded in and training as well, it’s automation with intelligence. Templates / tools / scripts are no longer hard coded, they are clean adapting prompts that well are awesome :)

It is hard to communicate how much bug bounty has changed due to AI in the last 2 months: not gradually and over time in the "progress as usual" way, but specifically this last December. There are a number of asterisks but imo coding agents basically didn't work for security research before December and basically work since - the models have significantly higher quality, long-term coherence and tenacity and they can power through large and long hacking tasks, well past enough that it is extremely disruptive to the default bug bounty workflow. Just to give an example, over the weekend I pointed Claude Code at a new program's scope and wrote: "Here are the target domains. Enumerate subdomains, grab all the JavaScript bundles, run the full analysis pipeline (endpoints, secrets, source-sink tracing, postMessage handlers), fuzz the discovered paths, spider the authenticated surface, check for IDORs on user APIs, test any interesting GraphQL endpoints, and write up an HTML report of everything you find." The agent went off for ~30 minutes, ran into multiple issues (auth failures, WAF blocks, malformed responses), researched solutions, resolved them one by one, analyzed the JS, fuzzed endpoints, tested access controls, and came back with the report. Two confirmed vulnerabilities and a handful of interesting leads. I didn't touch anything. All of this could easily have been a full weekend of manual work just 3 months ago but today it's something you kick off and forget about for 30 minutes. As a result, bug bounty hunting is becoming unrecognizable. You're not manually clicking through Burp Suite and hand-testing parameters one by one like the way things were since this industry started, that era is over. You're spinning up AI agents, giving them targets *in English* and managing and reviewing their output in parallel. The biggest prize is in figuring out how you can keep ascending the layers of abstraction to set up long-running orchestrator agents with all the right skills, memory and instructions that productively manage multiple parallel hacking instances for you. The leverage achievable via top tier "agentic engineering" for security research feels very high right now. My friends and I have been building out custom skill libraries for Claude Code - things like JS static analysis pipelines, authenticated fuzzing, IDOR testing frameworks, GraphQL introspection - and sharing them with each other. Each person's agent gets better as the collective skill set grows. We're finding more bugs in a week than we used to find in a month. It's not perfect, it needs high-level direction, judgement, hacker intuition, oversight, iteration and hints and ideas. It works a lot better in some scenarios than others (e.g. especially for targets with thick JavaScript clients where you can verify findings with a curl command). The key is to build intuition to decompose the target just right to hand off the recon and testing parts that work and help out around the edges with the creative exploitation. But imo, this is nowhere near "business as usual" time in bug bounty.

@Arl_rose Thanks for the kindness, support and shared moments over the years :) Hope your next adventure brings you more joy and opportunities :)

After almost seven years, my journey at HackerOne comes to an end today. This has been one of the most impactful experiences of my life, and I wanted to share a bit more about the ride. It all started in 2018. I had a dream of bringing a Live Hacking Event to Argentina after seeing the magic of the community in Las Vegas. I am forever grateful for the trust placed in me back then. Someone took a chance on a random guy from Argentina and made my hire happen, and I wouldn't be where I am today without that shot. In the years since, I have been lucky enough to build things from the ground up. I was tasked with building the pentest community from scratch when we launched the product, and seeing it grow into a home for hundreds of professional pentesters has been incredible. My biggest passion project was always focused on a worldwide hacking competition. My early pitches for a regional tournament eventually evolved into building a global network of hackers instead. We started that program with just seven people. Today, I leave a network of 90 ambassadors across 45 countries. That network finally allowed me to execute the Ambassador World Cup. Watching that tournament evolve into a global phenomenon that paid out 2.4 million dollars in its latest edition was a dream come true. From the finals in my hometown of Buenos Aires to the trophy presentation in Dubai, seeing hackers find their first bugs through this program has been the highlight of my career. After 20 Live Hacking Events as an employee, traveling the world and meeting the community in person kept my passion alive for years. None of this was a solo effort. I was only able to be creative because my team was the best in the business and I was given the room to run. Thank you to the global community of hackers and the rockstars on the community team for being such a massive part of my life. I am moving on to a new chapter to do some fun stuff. More to come on that soon. Thank you for everything and stay in touch!

@the_IDORminator @rez0__ Thanks for the kind words, and prayers :) hope life goes well on your side as can be :)

@rez0__ @codecancare Oh sorry to hear that man, will keep in our prayers. Yea my bad, I used to go by zwink on the platform :)-

I find it fascinating that hackers are willingly uploading their payout emails which contain PII to that #bugbounty.forum site just to validate their payments. Imagine the server scrapes your name, email, and other data while it "verifies" it. Make good decisions 😜

@rez0__ @the_IDORminator Cool cool :)

@codecancare @the_IDORminator Idorminator is Zwink btw

@the_IDORminator @rez0__ Oh Hello ;) getting back at it, some health challenges for some loved ones took priority to support them last year or so. You look like you’ve been doing some awesome things yourself :)

@codecancare @rez0__ Its the Bugcrowd leaderboard guy!! Hello @codecancare Ive seen your face everytime I load the leaderboard for 5 years 🤣 You still hacking these days?

@rez0__ @the_IDORminator It works well :) some hacking happiness :)

@the_IDORminator I actually don’t know but I do know that @codecancare is working on a dope ai therapy/meditation thing

Fun adventure with 2 great friends a remix on blind xss which was lots of fun, lots to learn, and still vulnerable in many places.

@Blaklis_ @DoomerOutrun @Hacker0x01 Congrats! :)

Yay, we (@DoomerOutrun Snorlhax and I) were awarded a $125,000 bounty on @Hacker0x01, for a single bug! Thanks, Epic! hackerone.com/blaklis #TogetherWeHitHarder

@Hack_All_Things Your kindness, fairness, and sense of humour still echos out in all your connections :) thanks for sharing some of those precious moments with me and my family :)

Peace out world. Best wishes to all. ALS has won this battle, but hopefully not the war!

@mcipekci You did great :) bug hiding in plain site in a popular program great use of your skills with AI helping to do some of the work :)

Collaborations make bug bounties more fun. Recently, @codecancare found a potential SQL injection on a target and asked me to check it. The SQL injection was in the URI, as the backend used direct input, treating "+" as normal instead of a space. I manually exploited it with a simple case-when payload on string concatenation: (case when 1=1 then '5' else (select 1 union select 2) end) If false, it returns two rows in the subquery, causing a DBMS error. I exploited it using Burp's Intruder with a cluster bomb technique. On a Synack engagement, I’d provide the Intruder configuration for triage, but since it wasn’t, I tested SQLmap. It failed, even with tampers like between and equal2like. I created a Python script using Gemini Pro. After it rejected prompts for ethical reasons, like dumping data, I rephrased to "fetching," and it worked. The script mimics SQLmap’s functionality: gist.github.com/mcipekci/80fbe… This shows how to exploit similar cases and create PoC scripts using AI efficiently. Unlike SQLmap’s numerous requests, this script is leaner and more robust. #bugbounty #bugbountytips

@th3b1rdm2n @Hack_All_Things @Zoom At it for 10 years :) time and treat people kindly that’s my magic :) good luck you can do it :)

Friday @Zoom Bug Bounty researcher spotlight on @codecancare (todayisnew). A top tier hacker withover 240 valid reports submitted, including 8 critical findings! Thank you Eric for your great work and gracious professionalism!

@Lordnilrac I think I found your wallet if I can get it back to you

@_jensec @Hacker0x01 Congrats! :)

Last week, I achieved a total of $500k+ bounty reward from single @Hacker0x01 program. Statistics: Timeline: 2 Years. Total Reports: 359 Valid Reports with Bounty: 280 Duplicates: 22 Critical: 23 High: 88 Medium: 168 Low: 69 Max Reward: $7k Lowest Reward: $150 Improper Access Control/Authentication Issue - 32% Improper authorization/BAC/IDOR - 25% Information Disclosure - 13% Injections- 8% XSS(Stored) - 6% Others - 14% Web Portals - 70% Mobile Apps API - 16% Documented API - 6% CIDRs/IPs - 6% Code review analysis- 2% #BugBounty

@HusseiN98D @Bugcrowd Great work big congrats! :)

Starting off 2025 with some cool vulns. Gg everyone 🌙 Zero automation for me. Cc @Bugcrowd

@Hack_All_Things Or x number of valid reports unlocks different scope, that way maybe more fragile scope only getting looked at by a smaller sub group :)

@Hack_All_Things Maybe open triage for the event a month earlier? If you get a x valid reports triaged comes with free travel / accommodations? No valid bugs get the lesser package to participate remotely maybe? That way only paying for travel for those who you know already bring value? :)

If Zoom were to host an In-Person Live Hacking Event in Denver Colorado (USA) sometime over the Summer of 2025, during which over $500,000 in bounties were up for grabs, would you be willing to cover your own travel expenses?

@ncookie_eth looking to get in touch with you if can send a dm, pretty urgent ncukxxx@xxx.com

Thank you, @Hacker0x01, for the opportunity and support, and to everyone who has kindly collaborated with me over the years. Wishing everyone peace and joy this holiday season on your side of the screen :)

@theSpaghettiSec @Hacker0x01 Thanks for the kind words :) and the collabs from you and all others to reach the milestone :) hope everyone can find some peace in there own way over this holiday season :)

Congratulations @codecancare The king of automation has reached over 200,000 reputation points on @Hacker0x01 🔥 Eric you are doing a great job 🪲