My notes are full of quirks I've come across in codebases and attack vectors that currently have no impact but could become critical as conditions evolve. I've seen this happen more often in Blockchain/DLT programs, but it applies to smart contracts as well, especially with the

Teamed up with itsgreg and found 3 confirmed high-severity bugs on Cantina 🪐 bounties!

Last month, I reported a critical severity vulnerability in a Cosmos SDK-based blockchain project and was awarded a $20,000 bounty. Thanks to WhiteHatMage for the advice on handling communications in private bug bounties.

By popular SR demand, we've created a new 'Paid Recently' bug bounty program filter. You can now view just the programs that have recently paid out in size. Happy hunting.

Vino Costa pessimist pessimist will become a beast

Excited to share that I'm now part of Hashlock! I'll be spending more time on audits, so I might slow down a bit on bug bounties. Reaching my Immunefi All-Star goal could take a little longer - or maybe not. I'm still digging into a potential big finding. If it turns out to be

Update your google chromes, chromium based browsers CVE-2025-10585 - An attacker using type confusion can RCE into your machine

Every time I read a new Asymmetric Research blog post, I’m amazed at how simple yet incredibly effective the vulnerability is, and it hypes me up to go bug hunting.

I am not launching an AI auditing agent this week. You heard it here first.

> Bad auditors over-rely on LLMs to find bugs > Zellic builds an LLM because bad auditors miss obvious bugs > Basically an LLM trying to fix other LLMs' mistakes > LLM finally shills the LLM-built + LLM-audited product on social media How does it feel, anon?

Humble win. Medium paid on Immunefi 🧙‍♂️ Good project. Fair assessment and resolution, taking security seriously preventing any potential issues. Findings bugs to help me envision my bounty game mod.

The OG Code4rena we loved isn’t the same anymore. Standing with itsgreg and riptide, we’ve won together before and still do. The quoted tweet says it all.

🤝 itsgreg

Try to break everything you come across and you may eventually get rewarded 🧙‍♂️

Sometimes you think you've caught a big fish, turns out you just didn't notice the fixed branch.

I can only tell you about what's happening to many whitehats. Some top security guys trying to transition to web3 bounties face the usual mistreatment that whitehats face after sending a valid report. Many projects and platforms downplay the reports. Trying to make the

2022 leaderboard is wild. What caught my attention is that there isn't even a single name in common with the 2025 top 10.

I just realized that the Ethereum Bug Bounty program uses Google Forms for submissions BUT if you want to disclose via email, they want you to use PGP. Why was Google Forms even an option?