Vitor Falcão "busfactor"

Today was huge! @monkehack and I took 2nd place in the @GoogleVRP Mexico BugSwat and won Best AI VRP Researchers!

@0xLupin yeeeeeeahhhh!!! congrats mann! super happy damnn

WE DID IT ! WE RAISED $5.9M PRE-SEED 🥳🎉🎉

Guys stop or AI will get mad and kill all the humans

@0xTib3rius I did that when I had a very specific thing I needed. It requires a lot of steering. Make it update a markdown todo file or something like that so you can keep an eye on how it’s going

I have a /loop in Claude Code that's been running every 30 min, all night. It goes and does research on web app testing techniques, then either writes or updates a set of custom scan checks for Burp Suite. Gonna let it run for a while then see what it's produced. 👀

@nnwakelam You can just ask for that in the issue tracker. You have permission after 90 days, I think. Anyway, no reason not to tell them about it, they always accept it and even ask you to share it with them so they can help you

Does anyone know who you speak to to get approval for writing up *.google.com bugs? just security@ ?

@EvanKlein338226 @CristiVlad25 Chrome devtools does it, another option is jxscout

@CristiVlad25 Gold mine when you find them. Internal API routes, auth flows, sometimes hardcoded secrets in the original source. What's your go-to for finding these? I usually start with /main.js.map and /static/js/*.map paths

It's always a good idea (and low noise) to check for public source maps before doing blind endpoint discovery.

@brutecat Congrats! I hope you publish more about your journey, technical and non technical stuff :)

Honored to be highlighted in Google’s 2025 VRP review! Huge thanks to the Google security team for running such a great program and for being awesome to work with.

One of the things I procrastinate on a lot is writing a blog post about dealing with ADHD as a hacker. I'm no specialist, but having had it and treated it for many years (meds and non-med methods), I guess I can help many people

@stokfredrik @rez0__ Even medicated, it's not easy for me to manage life admin stuff. ADHD makes the barrier to starting too high. Try time boxing it: "I'll search for flight tickets for 10 minutes, and if I don't find a good one, I'll try again tomorrow." Giving your brain a finish line helps a lot!

@rez0__ Haha yep, def adhd lyfe, I’m doing pretty well with my strategies and I’m no longer medicating, but this never becomes easier, and the energy required to push through is wild compared to doing things my brain enjoys to do.

Logistics is my kryptonite, I really struggle with simple tasks like booking my trips and hotels. weird how I can be highly functional in one area and a total disaster in the next.

Gecko 1.6.0 is released! @stealthcopter added the Ignore Patterns feature and a Docker build! chromewebstore.google.com/detail/gecko/m…

@LooseSecurity @Hacker0x01 lol wut

hi @Hacker0x01 one of your triagers is asking me to actually DoS the target website to prove the cache poisoning vulnerability is valid. It might be worth adding to your training that this is totally inappropriate. I have already shown it's possible using an obscure cache key...

@valent1nee Life telling you to become a pilot dude, so you can take us to the next LHE

Why is it so hard to find a decent car driving academy here... It seems way easier to find a decent flight academy.

@dennis_malware the problem is letting the user disable it, not having it haha

@busf4ctor Of course for development but forget to turn off.

ok, I need to get this off my chest. I'm hacking on this target, and I found something crazy. It should not work. The question is: WHY did the developers make CSP a feature flag you can disable???? LOL

@pwnj0 If it was easy anyone could do it and no one would pay for it

@busf4ctor the real bug bounty tip, how become persistent while hunting is hardest step imho

I used to struggle to read more than 50 pages of a book before giving up and never touching it again, so I started setting micro goals. Reading just five pages a day felt like progress. If I finished five, I was satisfied and could put the book down. By the end of the year, I had read 4,200 pages. I realised that all I needed was to take the pressure off and just begin. It’s like going to the gym. Sometimes just putting on your workout clothes makes it harder to quit, even if you haven’t left the house yet. A few months ago, I used the same approach for bug bounty hunting. I was feeling burned out / jaded, so I set a micro goal to hunt for just one hour each day with real focus. This small goal built momentum, and I often ended up hunting longer. Even when I stopped after an hour, I felt good about it. I found many bugs, succeeded in an LHE, got into more LHEs, and earned some great bounties. Give it a try. Set micro goals and don’t put too much pressure on yourself. Just focus on completing that small goal with real effort, or at least on learning something new. If it doesn’t work out one day, you can always try again the next.

@hugopicanzo It’s enough, maybe not enough to make a living from bounties, but 1% every day is powerful. Yeah, I try to have micro goals on all the parts I need consistency regardless of motivation levels

@busf4ctor Great tip! That’s great when you have already some foundations and hands on bug bounty. When you start over one hour a day it’s not enough because of the learning curve. And do you put different micro goals (for different parts of your life) at the same time, or just one?

@Michael1026H1 Way more expensive, though

Agents feel like the next Nuclei. Can be very helpful, but results really depend on customization and where you point it. I also expect a triagers will be dealing with a lot of reports that the reporter doesn't understand.

@_ArtSec_ learn how to rest :)

I'm getting very close to a burnout currently, haven't found a bug in 4 weeks and imposter syndrome is rising quickly. I gotta find a way to break out somehow.

@MAbdullah78619 🫡

@busf4ctor This is actually great advice. Thanks @busf4ctor💯

@TherealWaRL0k No VDPs. Don't work for free. People tend to go after VDPs thinking they are easier targets, and maybe they are, but don't make your time worthless like that. Let VDPs run in a "see it, report it" manner, not "hunt for it, report it".

@busf4ctor @busf4ctor Thank you so much, for the detailed reply. I solved a ctf last month, I am looking forward to finding a VDP bug this month. I really want to build consistency over burst of random work, stopping during the part I enjoy is what I will do next. Thank you for the advice.

@TherealWaRL0k The second part of the tip is to take good notes so you don’t have to rely on humans’ weak memories. The next day, you can get up to speed faster. Also, stopping during a part you enjoy is a crazy trick to get motivated the next day to start again.

@TherealWaRL0k Marathons burn you out. You can go to the gym every day for a month, burn out, and spend a year being sedentary, or take it easy, go twice a week, and keep going for a whole year. The latter is consistency: better results and better health. Bug bounty hunting works the same way.