FeDEX

officially a vibe designer now. built cursouls.xyz in like 2 hours. many more on the sprites

"Please perform a comprehensive security audit" - and why it doesn't work aisafe.io/blog/please-pe…

@kritikakodes <img src=x onerror=alert(1)>

I am a Vibe coder, scare me with one word.🤔

@denisyurchak We routinely get medical scans to take care of our bodies. We routinely do technical inspections to ensure our cars run well. Yet, we never built the same habit for our applications. Securing them is literally one click away @aisafe_io

My startup was hacked! I launched my own travel eSIM service, eSIMPal It started making money, the users were happy, and all was good, but today I woke up to a hacked website Somebody managed to get three 50 (!) GB eSIMs for Kuwait and Saudi Arabia for free, and we started using them heavily I wired up Claude, and we discovered the issue: the user could pass a parameter from the client to the server and make the eSIM cost 0 dollars I fixed the issue and blocked this user, and he only managed to use 5 GB worth of data The internet is full of sharks, boys – triple test all the payment-related code, make sure different LLMs cross-check each other's work Now I'm writing code with GPT-5.4 and making Opus 4.6 review everything for vulnerabilities And my hacker bro, if you are reading this, I'll get you your Saudi eSIM, don't worry Use the promo code IHACKEDESIMPAL for 10% off and chill

@_mixy1 Unfortunately, that's true. It only solved the challenges from pwnable.tw, which have online writeups

Six "Elite Hacking Competitions" where there are writeups for most of the challenges online 🙃

@matrosov @daveaitel While this is true, a different approach that worked well in my experiments was to let LLMs, which understand the threat model, run the SAST tools and then begin the assessment based on those results.

Nice blog! This hits a real pain point with current SAST tooling. Most of it just runs a bunch of generic checks without understanding the actual threat model or where the real security boundaries are. That lack of semantic context is exactly the issue, I’ve been arguing for a while that detection logic needs to be context-aware, and trying to bolt that on manually with rules just doesn’t scale. This is a very natural place for LLMs to add value. With AI accelerating code production, we also need to move beyond the simple rubric of “bug exists -> reachable -> fix it.” That model breaks down at scale (reachable != exploitable). What’s missing is deeper context around exploitability, and how real is the risk, what’s the blast radius, and what actually matters to fix first. That’s the layer that will drive meaningful prioritization. Also, using LLMs purely for triaging SAST findings after the fact gets expensive very quickly at scale. It’s the easiest path, so a lot of tools go there now, but without deeper integration into the analysis pipeline, it’s a pretty inefficient approach.

openai.com/index/why-code… a Monday morning blogpost for your perusal and enjoyment !

Is Codex going to kill our startup? 😬

@CristiVlad25 🐂💩

what you call this starts with bull

@Dan_The_Goodman @grok please explain this

I hate deceptive logo walls

@legoat2349 He's the MJ of Aron Gordons

They turning him into Aaron Gordon im out

@34GotGame can't wait for his LinkedIn post

I just realized both of the game winners were on Spencer jones too 😭😭

@aryanlabde Deep in the Apuseni Mountains with these incredible folks, building something cool for @aisafe_io

What are you guys working on this Sunday? Pitch your product. Get some eyeballs to it.

@_mixy1 now that's some serious sloppity slop

1 million lines of typescript 4 days ahead of my prediction. slopgazzillion

@aidaniil ♥️

A VC just asked me about competition I said I feel sorry for anyone who will try to compete

@MikeAdxx no lift on the shot ☹️

Bro Chet is 7 fucking feet

@askOkara Don't forget @aisafe_io to secure the app💡

the only stack you need to build a one-person business 1. cursor / cc - build ai apps 2. okara – get your first users via reddit + seo agents 3. mobbin / dribble - get design inspiration 4. vercel - deploy and host projects easily 5. supabase - manage database, auth and storage 6. stripe – get paid instantly 7. x / tiktok / reddit – drive traffic

@degrigis @bcherny @Rahll @AnthropicAI 💯

@bcherny @Rahll @bcherny I have INFINITE respect for you and @AnthropicAI, but I found the argument "agents will probably write perfect bug-free code" a bit misleading especially in the infosec sector. Many CISOs are already using that argument to downplay security. Just a word of caution :)

If Claude Code is so good, why do they need a separate feature to hunt for bugs.

@Digital_Cold 😂

Not even half way through March this guy declares manual CTFing dead because he got 1st place for 2026 on CTFTime through volume 😂 Here's the CTFs he's played in this year: ctftime.org/team/248318 CTFTime scoring model and voting system has as long as I can remember been very subjective (i.e. broken). This is giving "XBOW is the best hacker on HackerOne" energy. But lest I be accused of "cope" yeah I agree A.I. has permanently altered the meta and there's no going back. I'm out of the game these days but I have nostalgia for my active seasons of playing, challenge writing, and hosting CTFs before the "A1"

This really should have been in the top 10 web hacking techniques of 2025: adragos.ro/fontleak/

@RBTree_ The distinction, to me, comes down to enforceability. It's simple in Chess and Go, but in CTFs, any realistic enforcement mechanism would be silly at best. That's why I think the responsibility lies with CTFs to evolve.

Just it reminds me of chess, then Go.

I don't have any opinion on using LLMs in CTFs. It’s just the way the world is going. The sad thing is, I feel like it's robbing people of opportunities to learn. Of course, you can play CTFs without LLMs, but doing so may cost you your chance to win, or qualify for the finals.