Tammy.eth

someone with 6 months of experience just got paid $100,000 for a single bug bounty finding. i'm at roughly that same point in my journey and haven't found anything yet. no valid findings. no contest payouts. just months of studying, breaking things in practice environments, and slowly learning to read code the way an attacker would. on the days it feels pointless, a post like that is the thing that resets the perspective. because it proves the timeline isn't as long as it feels from inside the grind. 6 months is enough, if those months go into the right things. reading real code, not just tutorials. building the instinct, not just the knowledge. i don't know when my first finding comes. but i know it's closer than it was yesterday.

@ControlZ_1337 open sourcing the actual workflow instead of just talking about AI in auditing is rare. most people keep the harness private. interested to see how it holds up on real codebases

I think this finding is a good opportunity to announce something we’ve been working on. We’re currently cooking up an open-source project that’s essentially a public version of the internal system we use to leverage AI for vulnerability research and finding bugs (like this one). Stay tuned 🙂

@theayacommunity @panditdhamdhere

Are you spotting any familiar faces? 👀 We’ve got some insane builders & minds speaking at the Ethereum Build camp… but the real question is, how many of them do YOU already know? If you see someone you’ve learned from or followed → tag them below 👇 More details here: buildcamp-nine.vercel.app

@theayacommunity looking forward to this

@immunefi @__nnez would love to know how he decides a target is worth spending serious time on versus moving on. that filter seems like half the skill

This Security Researcher has earned $1,764,402 on Immunefi. $519,991 in 2026 alone (so far). Now @__nnez is coming on The Immunefi Show to break down his hunting process, how he chooses targets, and how to use AI to actually find bugs. What should we ask him?

@immunefi $140M paid out means the protocols that didn't get hacked because of those findings saved multiples of that. bug bounties are still one of the highest ROI security investments in the space and most protocols still treat them as optional

We've just crossed $140,000,000 in payouts to security researchers on Immunefi. Huge shoutout to every single SR who's gotten a payment. Collectively, you've saved countless billions from being hacked. Imagine what crypto would've looked like without those contributions.

@sherlockdefi the contracts passing audit while the signing flow or frontend introduces the real vulnerability is one of the most underreported attack surfaces in web3. the scope of "secure" has to expand beyond the solidity file

More teams are coming to Sherlock to test the full system their contracts depend on. Signing flows, frontends, wallets, infra, access control, integrations: this is where clean code still turns into real risk. Quick writeup below.

i spent 3 months "learning" smart contract security before i found a structured roadmap. i was watching random courses, jumping between topics, consuming content that felt productive but wasn't building anything real. after 3 months i couldn't tell you what i actually knew. then i found @CyfrinUpdraft and everything changed. suddenly there was a clear path, solidity foundations, then foundry, then advanced concepts, then security. each thing built on the last. i stopped feeling lost and started actually making progress i could measure. the difference wasn't effort. i was putting in effort the whole time. the difference was structure. if you're learning web3 security right now and feeling like you're going in circles — it's probably not you. it's the path. find a structured roadmap and follow it start to finish before jumping to anything else. the 3 months i spent lost were expensive. they didn't have to be.

@FireFlySquid380 claude is useful for understanding code quickly and generating hypotheses but it hallucinates enough that every finding needs manual verification. treat it as a first pass, not a final answer

@TammyBuilds Is it helpful on using Claude Opus for bug bounty?

someone with 6 months of experience just got paid $100,000 for a single bug bounty finding. i'm at roughly that same point in my journey and haven't found anything yet. no valid findings. no contest payouts. just months of studying, breaking things in practice environments, and slowly learning to read code the way an attacker would. on the days it feels pointless, a post like that is the thing that resets the perspective. because it proves the timeline isn't as long as it feels from inside the grind. 6 months is enough, if those months go into the right things. reading real code, not just tutorials. building the instinct, not just the knowledge. i don't know when my first finding comes. but i know it's closer than it was yesterday.

survivorship bias point is fair. but "AI will fix all the bugs" misses the part where AI consistently misses business logic errors, cross-protocol assumptions, and anything that requires understanding what the protocol was supposed to do vs what it actually does. that gap is still entirely human

@TammyBuilds It's great if stories like these motivate you. But I always remember that it's survivorship bias. And what's worse, today you're not just competing with other people in finding bugs. Tomorrow, Anthropic will release a new model, and it will fix all the bugs without us…

@eligibleumary same boat, still in uni, still in the courses, still showing up anyway. the ones who make it aren't the ones who had perfect conditions, they're the ones who didn't wait for them

@TammyBuilds I'm still stuck in my courses. Though it's because I am still in the Uni. But as long as one didn't stop it, he will reach it.

@ar3za12 Real!! valid bugs with no payout still means the skill is there. the luck part is real but it finds the people who keep submitting, not the ones who stopped

@TammyBuilds For me it's already one year and still no bounty but valid bugs so yes we can learn things from them but it may depends on consistency and luck

@SRCyberNerd word!!

@TammyBuilds Fast is slow and slow is fast.

@Ciberbro5 Thanks man!

@TammyBuilds You’re not alone bro. It will happen very soon

@samuraigintokii Yes sir!!!

@TammyBuilds we are just "one more day" away from getting our first bounty🫡

@yoursbyte the AI point is fair but it doesn't invalidate the finding. if you can use AI to surface a critical and then verify and explain it yourself, that's still a real skill. the researchers who figure out that combo are the ones winning right now

@TammyBuilds They just lie bruh even if he found it he is either using AI or grinding years and do it no one will be good at DLT in short term

@BigDoctoronX Thanks man!

@TammyBuilds I’m very certain you’ll get it soon Tammy

@idkwhoiamx999 appreciate it. the hard days are the ones that matter most, that's what i keep reminding myself

@TammyBuilds Keep it up bro never give up even if you reach year you gonna make it work hard

@yusufthebdev Thanks man!

@TammyBuilds slowly but surely

@Debug_sec Thanks man!

@TammyBuilds Rooting for you bro

@imprint_0x tutorials are fine until they become the thing you do instead of the real work. the switch from consuming to doing is uncomfortable but that's exactly when the learning starts

@TammyBuilds There’s me still stuck in tutorials for now