SecurityReapers

In May this year , I, along with @M_Zeeshan899, found our biggest bug with our biggest bounty on @Hacker0x01. The bug was quickly fixed and awarded with a bounty of 76500$ . The bug was similar to what nahamsec has explained in his video youtu.be/KfoOl8RhlhQ

@zonduu1 Sure mate

Anyone that is really good at sub bruteforce wants to collab with me into something?

@M_Zeeshan899 @intigriti @StijnJans @lennaert89 @intigriti

Hi @intigriti @StijnJans @lennaert89, I've been facing payment errors on the platform for 6 months with 25+ pending payments. Support only responds with "we are looking into it" and no progress. Can this be escalated for resolution? #bugbounty #infosec

Just heard about HackerOne allegedly training an AI pentesting agent on private bug bounty reports. Which is great news. I’ve always wanted to be part of something bigger than myself. Like a dataset. I logged into the platform to review one of my old private reports. The one with the 47-step reproduction chain and the custom Burp extension I wrote at 2:13am. It now feels less like a finding. More like a contribution to the collective. Some people are upset that private reports might be used to train an AI. I prefer to think of it as mentorship. I walked so the model could run automated recon at scale. That’s legacy. The platform says it’s trained on years of proprietary exploit intelligence. Which sounds suspiciously like “stuff we already did.” But I appreciate the rebrand. I used to be a hacker. Now I’m pre-training data. Career growth. I checked my dashboard to see if I get royalties. There is no royalties tab. But there is a leaderboard. I assume the AI is climbing it. I hope it enjoys the hoodie. A few researchers are worried this devalues human work. I disagree. My work has never been more valuable. It’s now infinitely reusable. Like a zero-day sourdough starter. I submit vulnerability reports. The AI absorbs them. The AI pentests the same targets next quarter. Somewhere in there is synergy. Or recursion. Hard to tell. I asked support if the AI will be submitting duplicate reports based on patterns it learned from mine. They said the system is designed to enhance signal. I respect that. Nothing enhances signal like automation replaying my exact payloads at machine speed. I’ve decided to lean into this. From now on, I will optimize my reports for model readability. Clear headings. Concise PoCs. Structured exploitation paths. If I can’t win the bounty, I can at least improve the weights. This is what scale looks like. The future of bug bounty is continuous, AI-driven testing powered by historical exploit intelligence. Which is a very elegant way of saying: “Remember that bug you found? It found you back.” I’m proud to be part of the ecosystem. Even if the ecosystem is now pentesting itself. Submitting my next report tonight. For training purposes.

@jobertabma @NahamSec @stokfredrik @Hacker0x01 securityreapers

Hey hackers! We're running a beta for Hai for Hackers, our AI security agent. If you're interested, please reply with your HackerOne username (we will probably limit to ~100 hackers for now). After it's been enabled, you can start using it by clicking the Hai button in the top right corner of the app. It’s free to use (with a limited daily budget for now). It is like any other AI you’ve interacted with, with the added benefit that it has access to a whole bunch of HackerOne data, like reports and programs. We’re shipping improvements to Hai almost every day. Here are some neat use cases: - “take all the learnings from STÖK, jhaddix, and nahamsec's recon strategy and build one for me!” - “write a python script for a typical recon process” - “i need an XSS payload that doesn’t use single or double quotes” - “my XXE payload doesn't call back to my server, what could go wrong?” - “write a response for report #133337” The beta also comes with Hai Plays for you, which allows you to build your own security agents in HackerOne. You can create them at hackerone.com/settings/hai_p…. Some of the cool use cases we’ve seen so far are: - write reports with minimal input from you (efficiency++!) - convert reports into blogposts with a single prompt - AI mentor to give feedback about your communication and increase the likelihood of a reward In the background we’ve been working on agentic behavior, which we expect will soon come to Hai for Hackers as well. These AI agents can act like your hacking buddy and hack alongside you. We’ll keep you in the loop on our progress.

@melardev Hey mate Can you check dm?

best token to do an $aura in base is $FROC, it's as small mcap, many capitulated, Coinbase is the deployer, Coinbase will list it if it gets to a decent mcap giving continuation to a potential rally. Who builds this?

@intruderhex @YogoshaOfficial Hey bro , may i dm you about yogosha.

Able to attain 3rd rank🥉in world's biggest live hacking event at #gisec2022, Dubai by @YogoshaOfficial . Got a chance to socialize with 90+ top hackers from 30+ countries. #gisecglobal #security #hacking #livehack #bugbounty #bugbountytips #gisec2022 #Yogosha

🎉There's a new #ReconRoyale King in town🎉 Congrats👑@UsmanMansha420👑Couldn't have gone to a nicer human! May your rule be long and fluffy🐾

@nbk_2000 Thanks mate 🫡 this made my day 🎉🎉

@nbk_2000 Thanks mate 🫡

Nice job on your latest crown @UsmanMansha420 well played! 🐾 #ReconRoyale

@pxmme1337 Hey @pxmme1337 , thanks for making this great platform. I think i found a bug in Wildcard checking in the validation script. Check your dm for details.

launched recon-royale.com a week ago (my first ever public website) and it's been a wild ride 😅 - 346 signups so far - nearly 200k requests made to the website - 5.6k unique visitors from the us, india, france, egypt, germany - 100000+ subdomains submitted - average of 50 participants a day in just one week, the list of shit ive had to learn to do or use is absolutely mad flask, gunicorn, werkzeug, cors, csrf protection, jwt auth, oauth2 with twitter, sqlalchemy and postgresql, with connection pooling and migrations, async programming with asyncio, aiohttp, aiofiles, and background tasks using apscheduler, dns resolution with cloudflare api, wildcard dns detection, and some socket programming, handling secure file uploads, encoding detection, and data validation with regex, design patterns like decorator, factory, singleton, and mvc architecture, input sanitization, rate limiting, authentication middleware, secure cookies, and http security headers, exceptions, custom error responses, graceful degradation, and db transaction management, restful apis with proper json formatting, status codes, versioning, and rate limiting, optimized performance with connection pooling, async ops, caching strategies, and resource management first time ever putting one of my creations out in public, and it's been f-ing insane I have been fixing bugs 'til 2am for the past week now and I'm loving it thank you, to all of you ♥️ #reconroyale

notes on 2024, second year as a VR/bounty hunter despite its inevitable share of injustices, it is a unique way of life that breathes freedom, based -its functioning at least- on a meritocratic system its uncertain character can be stressful, but it is what makes it so addictive

@nbk_2000 Thanks mate 🫡

Congrats on winning another round of #ReconRoyale @UsmanMansha420 well played!

🐬 Wrapped up 2024 with 92 vulnerability reports on @Hacker0x01 along with @M_Zeeshan899 ! Proud to have identified 15 critical issues and helped secure the digital ocean. Here's to more hunting in 2025! 🚀 hackerone.com/stories-of-202… #hackerone #BugBounty #infosec

@nbk_2000 @_Ali4s_ @e1abrador And about umbrella , c99 and dnsdb, Have you bought a subscription for all of these or do you just use trial and web versions ? Such as umbrella is around 90$ which i checked .

@UsmanMansha420 @_Ali4s_ @e1abrador I was fortunate enough to get a Riskiq community API key before they were purchased, those still work. It's not the strongest source, so don't sweat not having it. Sorry, Avros is a typo, should be Anubis (Anubis-DB). And yes, Cisco Umbrella.

Ok humans, for the next 6 hours @_Ali4s_ @e1abrador and I are answering #ReconRoyale questions. Ask us anything you want about the game! Tag your questions with #RR_AMA so we don't miss any! Please RT for coverage🐾

@nbk_2000 @_Ali4s_ @e1abrador Which wordlists do u use for bruteforcing, permutations, and resolvers ?

@nbk_2000 @_Ali4s_ @e1abrador Riskiq/passiveTotal is now part of microsoft xdr which is very expensive and community one is not available, did you buy the whole xdr or is there any cheaper option which i couldn't find? Also what is avros , can you share URL? And umbrella is cisco umbrella, right? #RR_AMA

@UsmanMansha420 @_Ali4s_ @e1abrador I wrote my own tools in Python b/c I had various issues with existing tools (outdated API calls, imprecise calls, inefficient use of credits, etc.) I use: avros binaryedge c99 chaos dnsdb hudsonrock merklemap netlas riskiq securitytrails shodan umbrella urlscan virustotal

@nbk_2000 Thanks mate 🫡

Congrats @UsmanMansha420 for winning your first crown in #ReconRoyale you really crushed it !!!

@ReConfirmEASM @hadriansecurity @pxmme1337 ReconRoyale

🥰That was an awesome game to play! congrats @hadriansecurity well done! Sharing is caring, type "ReconRoyale" underneath to receive the subdomain list. make sure DM's are open. 🥳 #reconroyale @pxmme1337 thanks for building this platform!

@NahamSec @M_Zeeshan899 @Hacker0x01 Thanks bro , this made my day 🫡

@UsmanMansha420 @M_Zeeshan899 @Hacker0x01 Congratulations dude! That is awesome!👏🏽

In May this year , I, along with @M_Zeeshan899, found our biggest bug with our biggest bounty on @Hacker0x01. The bug was quickly fixed and awarded with a bounty of 76500$ . The bug was similar to what nahamsec has explained in his video youtu.be/KfoOl8RhlhQ