Toan Pham

121 posts

Toan Pham

@__suto

Cybersecurity Engineer | Qrious Secure (@qriousec) & VnSecurity (@vnsec) | First guy pwned v8ctf with 0day | Enterprise Security by Day, Bug finding by Random.

Katılım Ağustos 2009

815 Takip Edilen2.5K Takipçiler

Toan Pham@__suto·4h

@loknop not worth for that complication :)

English

loknop@loknop·1d

@__suto that hash might be OpenAI and they want to announce it in a blogpost themselves?

English

330

Toan Pham@__suto·2d

Insane release: 26 CVEs — 4 V8 bugs by different contributors, 9 by a semi-anonymous individual (hash c6eed09) found across Chromium components (mostly WebRTC), and 4 by Google self. Let’s see if the trend keeps going…

xvonfers@xvonfers

chromereleases.googleblog.com/2026/03/stable…

English

113

18.6K

Toan Pham@__suto·4h

@yz9yt yes i said 9 by c6eed09, 26 is total

English

Albert @YZ9YT@yz9yt·4h

@__suto According to c6eed09, it’s 9, not 26. We also need to verify if it’s real, because some people are taking old fixes and requesting a CVE: chromereleases.googleblog.com/2026/03/stable…

English

Toan Pham@__suto·4h

@yz9yt x.com/__suto/status/…

Toan Pham@__suto

QME

Albert @YZ9YT@yz9yt·5h

@__suto Where is the CVEs?

English

Toan Pham@__suto·1d

Seems that 9 Chrome CVE of c6eed0 came frome vibe coded fuzzing not from agentic :) So many duplicates and chaos...

Chaofan Shou@Fried_rice

vibe coded a fuzzing ai agent last month and let it run for a week using my $200 claude max. it then found 21 high/critical vulnerabilities in Chrome.

English

139

27.6K

Toan Pham@__suto·1d

@0xocdsec seems the mysterious has been solved 😂 x.com/__suto/status/…

Toan Pham@__suto

Seems that 9 Chrome CVE of c6eed0 came frome vibe coded fuzzing not from agentic :) So many duplicates and chaos...

English

989

︎@0xocdsec·3d

c6 is some kinda AI? well it is making us safer

xvonfers@xvonfers

chromereleases.googleblog.com/2026/03/stable…

English

Toan Pham@__suto·1d

@Fried_rice yes he seems went there first 🤣 saw your duplicate! anw, great job!

English

1.7K

Chaofan Shou@Fried_rice·1d

@__suto I’m not c6eed09fc8b174b0f3eebedcceb1e792 🤣

Eesti

2.4K

Toan Pham@__suto·2d

@S1r1u5_ i know some folks, basically you can show to people you want when needed

English

s1r1us (mohan)@S1r1u5_·2d

@__suto weird someone dont want to reveal identity

English

Toan Pham@__suto·2d

@S1r1u5_ if stealth they might just demo rce 0day instead?

English

s1r1us (mohan)@S1r1u5_·2d

@__suto is hash some stealth startup?

English

107

Toan Pham retweetledi

Qrious Secure@qriousec·6d

One Repo x Codex/Claude Code/Cursor! by @trichimtrich

Português

8.6K

Toan Pham@__suto·8 Mar

Yes, the goal is common, but the outcome is slightly different, in my opinion. And I would bet/hope on your point about context engineering and expertise still matter; otherwise, all the power would be in the hands of the foundation companies and i personally dont like that outcome!

English

147

Tim Becker@tjbecker·8 Mar

@__suto In my view, we all have a common goal: leverage LLMs to find high impact bugs. The model capabilities definitely matter, but context engineering and analysis techniques are huge levers!

English

229

Toan Pham@__suto·7 Mar

So it turned out that was Anthropic—no wonder it uncovered so many vulnerabilities across multiple components! The bar has been raised higher than ever. Let’s see if BigSleep or Codex can surpass this :) anthropic.com/news/mozilla-f…

Toan Pham@__suto

Someone new ( has never submitted before ) has made a strike with 22 bugs across firefox components ( about 6 in js ) in total more than 50! Look like they invented something cool. at the sametime 0 js bug in v8: chromereleases.googleblog.com/2026/02/stable…

English

12.8K

Toan Pham@__suto·8 Mar

I bet Xint would get a lot more attention if there were a 0-click kernel RCE pixel drop. For the “Surpass” thing, I’m more curious about teams with unlimited access to foundation unfiltered raw models performing vulnerability hunting than about others like Xint Code or Xbow—or solo players like me.

English

440

Tim Becker@tjbecker·8 Mar

@__suto Does Xint Code's wormable direct-to-kernel RCE (+ 10 other high severity Android bugs) surpass this? x.com/tjbecker/statu…

Tim Becker@tjbecker

Xint Code found a 0-click kernel memory corruption bug, likely weaponizable as wormable RCE, affecting many Android phones, including Pixels. We reported this in February, along with 10 other high+ severity bugs, but are waiting for a patch to ship before sharing more details.

English

1.4K

Toan Pham@__suto·7 Mar

The important thing is that these AI systems ( I hope ) are good enough to prevent massive, silly bugs in IoT and infrastructure that nobody has the time or excitement to look at, except when they are shown at events like Pwn2Own, where one router, printer, or camera can have tons of duplicate 0day has been there for years.

English

1.7K

Toan Pham@__suto·6 Mar

@darkfloyd1014 @wwkenwong @vxresearch I just more experienced :) let me know next time if you guys need!

English

Mr. Anthony 安東尼@darkfloyd1014·6 Mar

@__suto @wwkenwong @vxresearch We are not good at it 😂, probably we can collaborate if you don’t mind. I believe you all can exploit easily.

English

Mr. Anthony 安東尼@darkfloyd1014·5 Mar

We got 7000 USD bounty from Google VRP. Nice, but hard work. Good and interesting desirable bug 😂🍀❤️ @wwkenwong @vxresearch

English

160

5.8K

Toan Pham@__suto·6 Mar

@darkfloyd1014 @wwkenwong @vxresearch cool, why you not exploit it?

English

123

Mr. Anthony 安東尼@darkfloyd1014·6 Mar

@__suto @wwkenwong @vxresearch V8

235

Toan Pham@__suto·6 Mar

@darkfloyd1014 @wwkenwong @vxresearch 🙏 i haven't done anything

English

Mr. Anthony 安東尼@darkfloyd1014·6 Mar

@__suto @wwkenwong @vxresearch typo: inspiration and your sharing posts.

English

132

Toan Pham@__suto·2 Mar

This is probably one way for solo hacker to compete with big/vc back corp. More inportantly, it is true hacking spirit.

snwy@snwy_me

i made a writeup of how i did this + some tweaks i did after the original post; check it out this is my first real long-form article so sorry if it's shit code + updated frankenqwen will be published soon

English

3.2K

Keşfet

@loknop @yz9yt @0xocdsec @Fried_rice @S1r1u5_ @trichimtrich @elonmusk @BarackObama