rokinot

New blog post about how I used google colab to find a solo medium earlier this year, possibly my best finding to date. @jack__sanford rokinot.github.io/buginabug

@0xzak >company in financial trouble "leaks" how awesome their next product is ok

Mario Nawfal is a known scammer and engagement baiter let's not retweet his posts now

@CL207 @citrini what happened to their gold checkmark

cat got @citrini a new @ handle😎

@ConejoCapital they don't like seeing bunny succeed

i was a sora influencer. i am devastated. time to go back to doing tiktok dances

@lonelysloth_sec @hrkrshnn @Montyly building an "agent" from the ground up for security is superior because you can force it to think in ways it previously wouldn't, add information it wouldn't find, optimize its prompt to make it smarter, etc

@lonelysloth_sec @hrkrshnn @Montyly hmmmmmmmm more or less. the problem w/ skills is that you have almost no control of its context window besides, well, the skill. the way agents talk to themselves is by shoving the entire conversation history into it, which is not very efficient to say the least

The reason this result is impressive is the ability to match the 34 critical, high, and medium severity findings. That is a lot of findings. This is a pretty large and complex codebase. Most AI systems, including baseline ChatGPT, Claude, and Gemini, will find some bugs (and a ton of false positives), but not all. However, finding some bugs is not enough for an AI system. It needs to be able to find *all* bugs. What does it mean to find all bugs? The baseline: it needs to match all the bugs a competent human team will find over a reasonably sized manual audit. If it can match all critical, high, and medium severity findings, I'd consider it to have 100% coverage. Anything more is icing on the cake. Remember: no human audit today guarantees they'll find *all* bugs; they all come with disclaimers that tell you it's a point-in-time security review over N number of weeks, and many of them will recommend getting another security review to improve confidence that there's nothing left. Clearly, no single human in an audit team can guarantee that they'll find all the bugs in that team audit. Early versions of Apex never got close to 100% coverage. Sometimes it found bugs that the human team missed (which is normal in any audit, as the disclaimers state), but finding all the same bugs was impossible. We had to make a series of improvements over time to get here. And we still have a lot of work left to build confidence that this performance is indeed generalizable. But in getting here, we've made a pretty staggering realization: code security as we know it is on track to be solved! There's a lot of engineering and product work left, but there's a clear path ahead of us that will give us something that's faster, better, and cheaper than a human audit every single time. Maybe not 100% of the time today, but 100% over time. This is a huge statement that will rightfully receive a lot of skepticism, but hear me out: we had a list of bugs that we just couldn't get previous versions of Apex to find. But no longer! Our cracked Apex team pulled their hair out over weeks last year on certain complex bugs. Even when we were 'cheating' by telling Apex about the bug, earlier versions just didn't have enough intelligence to process certain issues. We don't see that anymore. We literally don't know of a bug or bug class that's out of reach today. We methodically track bugs that Apex is missing and bugs that are marked as false positives. We have a clear strategy for fixing every gap we spot in a generalizable way. It's now a lot of shipping, scaling, optimizing, and product work. There are two different ways people are taking this (that an AI can catch any bug): 1. Denial. I've seen this last year when coding agents started to look promising. So many strong engineers were in denial. They loved to point out every single mistake that these coding agents made. But others saw opportunity: what if the coding agents kept improving? 2. The opportunity. So many early users of Apex are finding out they can now get really good security guarantees on full-stack applications, something they could never do in the past. Imagine your backend application that interacts with sensitive data or money. You could never get a similar level of diligence as, say, smart contracts because it would cost too much and was an ever-moving target. You can now get continuous world-class security for the first time in history. In some way, these AI tools are increasing the total addressable market for security. We saw a similar trend with coding agents: people who have never been able to code before are now shipping apps that they've always dreamed of building but didn't have the know-how or time to create. We'll start to see this in security too: applications and teams that could never afford security guarantees that come with an external line-by-line code review by top security researchers can now get it.

@pashov lol

my name is 'early to the game', nice to meet yall

@eth_call @tempo @samczsun @gakonst sent a message, please check your DMs

hiring to scale security eng at @tempo. come work with @samczsun, @gakonst, and many others smarter than me on: fuzzing and invariant testing autonomous bug hunting continuous security tooling agentic chaos engineering it's a weird, exciting time to move fast at the frontier.

@asen_sec I believe this is because enabling higher temperatures leads to higher hallucination rates, which is already pretty bad in general

When they pushed their AI to explore edge cases more "creatively," discovery dropped from 50% to 20%. "Discipline in the workflow produces better results than ambition in the prompting." Two teams, two experiments, same conclusion.

3 major pieces dropped last week on AI in web3 security - from @BlockSecTeam, @ConsensysAudits, and @xy9301. I went through all of them so you don't have to. Here are the most shocking insights:

@networkspirits @notthreadguy @defidave this is really cool

@notthreadguy @defidave 🥲

we made it yvtweets.wtf a moodboard of random yv tweets, if you star them they are added to certified bangers you can also leave memories & messages 🕊️

@Taridoku can't review something sponsors don't want to

Genuine question. Why is access control still out of scope/ low / informational in big 2026? 1/6

@henlojseam @Elder_DT that's tough

@Elder_DT He died of testicular cancer

The world is beautiful, there are still many new experiences for you in this life, and you have not yet met everyone who will love you

i don't know if judges like this or not, hope they do lol

whenever I compete in code4rena and writing a QA report, I'm always leaving the "most impactful" low severity issues, aka the borderline mediums at the top, and the most menial stuff at the bottom

@d0rsky awesome

@rokinot nope, we will cashback duplicates

Paid submissions? Let’s talk We need to be honest about what’s happening to bug bounty right now We live in AI era, where submission volume is growing fast, but signal is not A lot of reports getting lost, delayed, or stuck in review loops And this hurts everyone - especially professional whitehats with real findings Over the last months, we’ve been trying to fix this step by step Reputation points system was first you submit spam → you get penalty points → you lose ability to submit simple incentive on quality Then - MCP Which helps teams triage faster, identify duplicates, reduce review time. Many companies already using it. And now we are introducing a new option - submission fees. We’ve been hearing this request from many companies and honestly, it feels like a next logical step to make the game more fair for everyone. This is optional, not default, and not something every company will enable. Fees going to be small ($1-$5), so this is not about monetization too This is about adding a bit of friction, so people think twice before submitting something they are not confident in Because today, there is almost no downside to spam. With $20 subscription, any user can generate thousands of reports even without understanding of them. At the same time, we fully understand concerns, whitehats are our biggest asset and we still want new researchers to join the space, so we added: • free credits for new users (via coupons) • support for high-signal researchers Goal is very simple - improve signal without losing important reports I will keep you in a loop once any of HackenProof clients will enable it Lets fix bug bounty together

@0xAnteater so crypto is less idealistic?

ai: look you can be a part of changing the world crypto: look you can trade oil 24/7!

@adeolRxxxx looking at the repo it seems misleading, they're including the dependencies (uniswap and OZ) in these figures

@DadeKuma correct, the cost of inference is not decreasing and this will be a major problem for everybody if it's not dealt with

I hate this dumb AI timeline. Within a few years, 80% of current security auditors will be gone, and not for the reason you think. People don't realize that AI costs are actually increasing with each new model, not decreasing. Companies are selling at a loss just to capture the market; they'll pull the rug once we're all fully dependent by massively increasing prices. Those who rely entirely on AI have already stopped thinking for themselves. When this system eventually collapses, they will be left completely helpless.