stuxf

68 posts

stuxf

stuxf

@stuxfdev

co-founder and ceo @verialabs (yc f25) | hack things @smiley_ctf

Katılım Eylül 2025
216 Takip Edilen488 Takipçiler
Sabitlenmiş Tweet
stuxf
stuxf@stuxfdev·
We spun out of the #1 hacking team in the US and built AI that finds what even the best hackers miss. During one engagement, it found 6 different ways to take over any user's account on a popular webapp. Completely autonomously. Then suggested fixes for every single one. Today we're announcing @verialabs' $3.2M seed, backed by @ycombinator, @gokulr, @paulg, and @woloski (co-founder of Auth0), and many other great investors. DM me if you want to know what we'd find in your app.
stuxf tweet media
English
25
19
243
56.4K
stuxf
stuxf@stuxfdev·
@t_blom @NotTomBrown Congrats! It’s been amazing having you as our primary YC partner and excited to see what you do at Anthropic
English
0
0
1
567
Tom Blomfield
Tom Blomfield@t_blom·
Personal update: I'm taking a leave of absence from YC to join Anthropic. I'll be working with @NotTomBrown on the compute team. Powerful AI has the potential to improve the life of every human on earth and, as we enter the early stages of recursive self-improvement, availability of compute becomes one of the most important issues to solve. I'm excited to get started 🚀
English
507
195
7.5K
2.8M
stuxf
stuxf@stuxfdev·
@sebonomics @stevenxiao_ there's a cca alum who graduated hs <10 years ago and has already founded a unicorn 😛
English
0
0
3
40
steven xiao
steven xiao@stevenxiao_·
growing up in a talent dense high school was one of the most important parts of my development and is one of the best things you can do for your kids for context 50 kids got into Berkeley and 7 into Caltech this year alone this environment has two underrated side effects: 1. Baseline ambition is higher when exceptional ability is normalized. 2. People develop better BS detectors. Growing up with world class talent teaches you the difference between actual ability vs striver credentialism.
StripMallGuy@realEstateTrent

The most impactful thing that ever happened to me was when my parents made me switch high schools after my freshman years. Yes, it sucked for a few months. But at the old high school, getting good grades was embarrassing. At the new one, it was cool. My new friends were Mike, and Roy, and Nick. Mike later went to Harvard Business School, and became a venture capitalist. Roy is now one of the top children's gastroenterologists in LA - and Nick runs one of the most highly respected youth tennis academies in California. Even Adam - a random guy on my baseball team, is now the general manager of an NFL team. Where your kids go to high school matters more than where you kids go to college. High school is where they decide what they're going to prioritize.

English
16
8
252
56.9K
stuxf retweetledi
SuperBeetleGamer
SuperBeetleGamer@Cayden_Liao·
🧵Veria AI autonomously found and demonstrated a critical vulnerability in Aleo, finding a proof forgery in Aleo's snarkVM. The project awarded us the maximum bounty of $65,000 for the find.
English
5
5
50
10.1K
stuxf
stuxf@stuxfdev·
@IntCyberDigest Of course it’s also probable that a lot of these are real, but I’ve seen some of these supposed disclosures that definitely are not.
English
0
0
3
302
stuxf
stuxf@stuxfdev·
@IntCyberDigest A lot of these “rejected zero-day RCE submissions” are just the result of AI Psychosis and aren’t real vulnerabilities. Happy to DM for more details, don’t want to publicly put any of these groups on blast.
English
2
0
20
3.4K
International Cyber Digest
International Cyber Digest@IntCyberDigest·
‼️🚨 Pwn2Own Berlin 2026 just hit a wall. For the first time in 19-years, ZDI rejected dozens of working zero-day RCE submissions because organizers ran out of contest slots. Rejected hackers are now going public with PoC demos and direct vendor disclosures, breaking Pwn2Own's usual secrecy. ▪️ AI surfaces a massive wave of 0-day RCEs. ▪️ Submissions overwhelm ZDI past max capacity. ▪️ Slots run out. Researchers with working chains get rejected. ▪️ "Revenge disclosures" begin. ← we are here. Confirmed casualties so far: ▪️ @xchglabs : 86 vulnerabilities prepared (PyTorch, NVIDIA, Linux KVM, Oracle, Docker, Ollama, Chroma, LiteLLM, llama.cpp). All rejected. Now reporting directly to vendors with writeups dropping as patches land. ▪️ @ggwhyp : full-chain Firefox RCE on Windows. Rejected. Publicly demoed (HTML page → cmd.exe → calc.exe). Responsibly disclosed to Mozilla. ▪️ @yunsu_dev : working RCE chain, rejected. Submitting elsewhere. ▪️ @ryotkak : tried to register for 3+ weeks. ZDI confirmed "at maximum capacity, can't add extra contest days." Considered canceling flight and hotel. ▪️ @anzuukino2802 : Claude Code RCE PoC. Rejected. ▪️ @desckimh : 0-day RCEs in Ollama and LM Studio. Rejected. Reported impact: a community-estimated 150+ researchers tried to register. Accepted contestants are now being warned about collisions. Rejected vulnerabilities going to bug bounty programs may trigger pre-event patches that invalidate the work of those who got in. ZDI has not publicly addressed the capacity issue. The event still runs May 14-16 in Berlin.
International Cyber Digest tweet mediaInternational Cyber Digest tweet media
English
32
374
1.5K
415.5K
stuxf retweetledi
LakeCTF
LakeCTF@LakeCtf·
🏆#EPFL #LakeCTF 2026 — it's a wrap! 🚀 Another year, another amazing battle of brains of creativity!🧠💻 Congratulations to this year's winning team pls carry :3! And thank you to every participant for making this edition such a success.👏 🥇 pls carry :3 🥈 .;.;. 🥉 FluxFingers
English
0
10
45
3.4K
stuxf retweetledi
SuperBeetleGamer
SuperBeetleGamer@Cayden_Liao·
Part 2 of @verialabs Securing Open Source series: We found 2 bugs that could be chained together in Kraken Wallet: Chaining both, a malicious dApp could impersonate a trusted one and disguise transactions as messages, silently draining user funds. Blog: verialabs.com/blog/securing-…
English
0
1
6
706
stuxf retweetledi
Charlie Marsh
Charlie Marsh@charliermarsh·
We wrote up everything we do to secure our open source projects at Astral
Charlie Marsh tweet media
English
10
39
359
23.3K
stuxf
stuxf@stuxfdev·
@GrahamHelton3 I wonder what needs to happen in order to make a shorter disclosure policy the norm
English
0
0
0
149
stuxf retweetledi
Joseph Zhang
Joseph Zhang@sohan_zhang·
recently onboarded to @verialabs (F25) to help with our security Highly recommend working with them! Super professional, clean UI, and well worth the investment The product lives within our CI/CD, and it's a super easy github integration 🥂
English
3
3
20
2K
stuxf retweetledi
jayden
jayden@0jayden_·
Starting a series where we write up interesting vulns our agent at @verialabs finds: First up, 1-click RCE in Goose, Block's coding agent with 33k+ stars: verialabs.com/blog/securing-… Goose was vulnerable to CSWSH, allowing an attacker-controlled website to run arbitrary commands.
English
2
7
20
2.3K
Santosh K
Santosh K@santokri1·
@stuxfdev @aszx87410 @verialabs I would like to know using the Claude Agent SDK, how you can route through your CC Pro/MAx plan ? I can also test with the repo you shared ? Thanks !
English
1
0
0
207
stuxf
stuxf@stuxfdev·
We at @verialabs built an autonomous CTF agent in a weekend and won 1st place at @BSidesSF 2026, solving all 52/52 challenges. It races multiple AI models (Claude, GPT-5.4) in parallel, each in isolated Docker sandboxes with full CTF tooling. A coordinator LLM reads solver traces and sends targeted guidance to stuck agents. As AI gets better at finding and exploiting vulnerabilities, we think it's important to understand exactly how good it is and where it fails. github.com/verialabs/ctf-…
English
9
53
317
35.1K
stuxf
stuxf@stuxfdev·
@l33tdawg @verialabs @BSidesSF It’s open source! You can run it yourself, curious to see the results, there’s definitely improvements to be made ;)
English
1
0
2
789
stuxf
stuxf@stuxfdev·
@EvanKlein338226 @verialabs @BSidesSF Mostly ended up using GPT because I didn’t want to use too much of my Claude usage 😅, so I had it disabled for most of the CTF. Just first solve, IIRC each subagent can submit to a rate limited queue that just automatically tests submission against ctfd
English
0
0
0
1.5K
Evan Klein
Evan Klein@EvanKlein338226·
The parallel racing approach is clever - did you find Claude vs GPT-5.4 had different strengths? I'd imagine Claude handles web challenges better while GPT-5.4 might edge out on binary/crypto with reasoning. Also curious about the coordinator's decision heuristics. Does it just take first solve or does it validate outputs before accepting?
English
1
0
1
1.6K
stuxf
stuxf@stuxfdev·
@aszx87410 @verialabs you can (unofficially) run this for free, so long as you have an existing CC/Codex subscription. I'm using the Claude Agent SDK, which allows you to route through your CC plan, though this is unsupported. I also route the OpenAI models through codex app server's JSON RPC.
English
2
0
4
1.3K