Mantas Sabeckis

Github knew for hours, they delayed telling you and they wont be honest in the future. what an amazing run, its been an honor to play around with the cats over the past few months. #teamPCP #github

AMA by an ex-H1 triager. An interesting read. reddit.com/r/bugbounty/co… h/t @zseano

Be Anthropic: - compete with OpenAI - OpenAI uses Stainless for their SDK - acquire Stainless - shut it down

AI Slop Report Programs DDoS Era

Linus Torvalds says AI-powered bug hunters have made Linux security mailing list ‘almost entirely unmanageable’ theregister.com/security/2026/…

POV : USING CLAUDE OPUS 4.7 TO JUST RENAME A VARIABLE

Here is the sauce, now go cook something good

Fragnesia: universal Linux LPE github.com/v12-security/p…

Even more convinced that I did right thing switching to codex

I got a CVE for LFI in Adobe Magento! Back in Jan, the team at @AutonomousCyber's let me give them targets for their hackbot FUZZ-E to look at. It also found 2x zero days in Angular, which I'll post on later. With 1 run overnight, it found vulns in wildly hardened projects.

never deleting this app 💀 bro is gonna wake up with -$300k

@ArmanSameer95 Maths play well here

5.5 > 4.7

We got the email too. We had a working RCE on Oracle Autonomous AI Database ready to demonstrate live at #Pwn2Own Berlin next week. ZDI confirmed they're at maximum capacity and can't add extra contest days. AI is now generating offensive capability faster than the institutions built to process it can keep up. We'll be in Berlin May 14-16 regardless. The conversations there will be really interesting!

‼️🚨 Pwn2Own Berlin 2026 just hit a wall. For the first time in 19-years, ZDI rejected dozens of working zero-day RCE submissions because organizers ran out of contest slots. Rejected hackers are now going public with PoC demos and direct vendor disclosures, breaking Pwn2Own's usual secrecy. ▪️ AI surfaces a massive wave of 0-day RCEs. ▪️ Submissions overwhelm ZDI past max capacity. ▪️ Slots run out. Researchers with working chains get rejected. ▪️ "Revenge disclosures" begin. ← we are here. Confirmed casualties so far: ▪️ @xchglabs : 86 vulnerabilities prepared (PyTorch, NVIDIA, Linux KVM, Oracle, Docker, Ollama, Chroma, LiteLLM, llama.cpp). All rejected. Now reporting directly to vendors with writeups dropping as patches land. ▪️ @ggwhyp : full-chain Firefox RCE on Windows. Rejected. Publicly demoed (HTML page → cmd.exe → calc.exe). Responsibly disclosed to Mozilla. ▪️ @yunsu_dev : working RCE chain, rejected. Submitting elsewhere. ▪️ @ryotkak : tried to register for 3+ weeks. ZDI confirmed "at maximum capacity, can't add extra contest days." Considered canceling flight and hotel. ▪️ @anzuukino2802 : Claude Code RCE PoC. Rejected. ▪️ @desckimh : 0-day RCEs in Ollama and LM Studio. Rejected. Reported impact: a community-estimated 150+ researchers tried to register. Accepted contestants are now being warned about collisions. Rejected vulnerabilities going to bug bounty programs may trigger pre-event patches that invalidate the work of those who got in. ZDI has not publicly addressed the capacity issue. The event still runs May 14-16 in Berlin.

@guilnx Well different people will use it differently. Depends on your workflows. I dont have one solution for all, but can only point to right direction - try building your own ai framework and use /goal as short prompt to follow your framework workflows

@ott3rly Can you explain with us how this works? Please!!!

Left codex overnight + half day with /goal on. Still going. Reports ready to review. It still needs human, but I love the idea that its working while I am away

You can now pay Anthropic for Claude Code, and use Claude Code to hack Anthropic, and get paid by Anthropic for bugs its own product finds in itself. We live in wild times.

Relax guys i got the solution.

Why does Anthropic need a Bug Bounty? Why not just point Mythos at their own stuff?

Reverse Engineering Just Got EASY

Would not be surprised if AI testing becomes a new Hackerone platform standard that companies opt in or out of 🧐 Get caught using AI? Bye bye bounty. Interesting times ahead for the industry