Tsvetan Stoychev

@rez0__ I mention that it was AI assisted and extensively tested and verified by me.

Alright, real talk. Should it be acceptable to say “I found X bug” if it was 90% Claude?

Doscovred 2 oob writes and 1 oob read and I don't know what to do :D

I Built a Live Map of My Entire Life System razbakov.com/blog/2026-03-2… by @razbakov

I've worked on Fabro for 30 days straight. I asked Claude to estimate the effort and cost. > Compared to the $400k-$750k it would cost without AI, the actual cost of $62k-$108k represents an 80-85% reduction. Sounds about right! (I'd ~2x tokens.) gist.github.com/brynary/7fc6c0…

@brynary Are you using now Fabro to develop Fabro? And if yes, do you think that it saves time and reduces cost?

Today I'm thrilled to open source what I've been working on... Meet Fabro (github.com/fabro-sh/fabro), the dark software factory for small teams of expert engineers. Fabro gets you out of the REPL (read-eval-prompt-loop) by layering deterministic workflow graphs over agent sessions. It's batteries included with cloud sandboxes, quality sign offs, multi-model ensembles, and Git checkpoints. It's MIT licensed so you can fork and own your AI coding toolchain. Single Rust binary with zero deps. I'd love to hear what you think!

I know Silicon Valley startups don't want to hear this..... But the combination of someone in the trades with deep domain expertise and Claude Code will run circles around your generic software. I talked to Cory LaChance this morning, a mechanical engineer in industrial piping construction in Houston. He normally works with chemical plants and refineries, but now he also works with the terminal He reached out in a DM a few days ago and I was so fired up by his story, I asked him if we could record the conversation and share it. He built a full application that industrial contractors are using every day. It reads piping isometric drawings and automatically extracts every weld count, every material spec, every commodity code. Work that took 10 minutes per drawing now takes 60 seconds. It can do 100 drawings in five minutes, saving days of time. His co-workers are all mind blown, and when he talks to them, it's like they are speaking different languages. His fabrication shop uses it daily, and he built the entire thing in 8 weeks. During those 8 weeks he also had to learn everything about Claude Code, the terminal, VS Code, everything. My favorite quote from him was when he said, "I literally did this with zero outside help other than the AI. My favorite tools are screenshots, step by step instructions and asking Claude to explain things like I'm five." Every trades worker with deep expertise and a willingness to sit down with Claude Code for a few weekends is now a potential software founder. I can't wait to meet more people like Cory.

"Unfortunately we were unable to reproduce your submission, as not enough information was provided to replicate your findings." Wondering how often folks get such a response that lacks details by bug bounty platforms and what is the constructive way this to get better?

Been hacking on an Elixir port of @karpathy's autoresearch — an LLM agent that designs and trains GPT models autonomously, overnight. Turns out the BEAM is (unsurprisingly) a natural fit: hot code reloading for experiments, multi-GPU fault tolerance, LiveView to watch it think.

@hitman9264 @Bugcrowd @Hacker0x01 @rez0__ @thebinarybot @ITSecurityguard In VScode we can choose between different models in GitHub Copilot. I think that the Copilot is part of the installation of the latest VScode releases. You still will need to pay for Copilot subscription...

@ceckoslab @Bugcrowd @Hacker0x01 @rez0__ @thebinarybot @ITSecurityguard Interesting Btw how do you use copilot and opus combined ?

Everyone is talking about using Claude Code for bug bounty and pentesting but no one is talking about the findings ? 🤔 Is anybody finding got accepted as valid issue on @Bugcrowd @Hacker0x01 or any platform. @rez0__ @thebinarybot @ITSecurityguard #BugBounty #bugbountytips

@hitman9264 @Bugcrowd @Hacker0x01 @rez0__ @thebinarybot @ITSecurityguard Copilot also created PoCs and I found out the in my case it was doing fewer mistakes when instructed to write them in python. I used Agent mode all the time.

@hitman9264 @Bugcrowd @Hacker0x01 @rez0__ @thebinarybot @ITSecurityguard Yes, cloned the repository and opened the project in VScode and started hunting with Copilot. I had to delete a few folders with tests and utility code because Copilot was finding false positives in these areas. It took me a few days for the first finding.

🚀 Treo Site Speed Update: Page-level CrUX data, 2 years of history, and a Free Plan. What's new: • Page-level CrUX report: Real-user metrics for individual pages. • Multi-page reports: Track up to 10 specific URLs in a single report. • Free Plan: Save and monitor your reports for free. • 2 years of BigQuery data: Treo is known for the best origin-level report, and now you can access 2 years of history. • Treo Scan Lite: Auto-discover your top 10 URLs and instantly check their metrics. • UI updates: We kept our signature clean design and made it even better. Test your site: treo.sh/sitespeed

@Behi_Sec My bad. It's Gemini 3.1 pro . I also chose all PoCs scripts to be written in Python. It felt the LLMs were more efficient writing Python. What is your "😱 omg" moment while working on ai assisted vulnerability research?

@ceckoslab That’s a good approach. Opus 4.6 + Gemini 3.1 Pro is the best combo IMO.

What AI tools are you currently using in your bug hunting workflow?

Bugcrowd has seen a sharp rise in what we’re calling “AI slop” submissions: high-volume reports with thin evidence, templated write-ups, and little to no validation. That’s not how real vulnerability research works. Bugcrowd has always been built on human ingenuity and high-signal findings, so we’re introducing updated submission policies to reduce speculative AI-generated reports and keep the focus where it belongs: validated vulnerabilities that create real impact. These updates include enforcement against submission farming, automated pipelines, and repeated invalid submissions. Read the full update from @treyford ↓ bugcrowd.com/blog/bugcrowd-…

@Bugcrowd I hope this helps others: All my submissions so far were discovered with the help of AI but I always spent 1-2 hours validating manually. There was 1 case where I found slop and didn't submit a report.

@LiveOverflow Personal experience: "Wanna be" bug bounty hunter here. With the help of Opus 4.5 got my first report 2 months ago. 4 more followed. I guided the model all the time. Without my guidance the model was finding low impact bugs but with more push from my side we got an RCE.

What I’ve always found amazing about CTFs is that "flag is flag". Whether you found an unintentional solve or pwned the browser with n-day for a XSS challenge, it didn't matter. I totally get the frustration of AI, but there is no solution other than accepting the change.

If you're using AI for bug bounty, you already know the two killers: context window limits and compaction amnesia. I use 6 lifecycle hooks for my mastermind-ai setup that act as checks and balances — injecting hunt state on session start, gating findings that lack proven impact, catching agents that surrender too early, and serialising everything to pick up exactly where the last session left off. The result: more agents running autonomously for longer, finding higher severity bugs. Cool interactive explanation of all 6 hooks here - labs.trace37.com/blog/mastermin…