It's taken quite literally a month to get a 1-click ATO via DOM-XSS triaged on Bugcrowd. I'm not having the same issue anywhere else with getting client-side bugs triaged, so I'm fairly convinced it's just triager skill issue/mismatch.

Half of the effort is finding bugs, the other half is teaching triagers basic security concepts. I should be getting paid for the training.

of course, this code is complete AI slop. Right off the bat, headers aren’t passed for POST/PUT/DELETE. Both the help and -v options flat out lie about what was sent. Literally half of the flags are no-ops. Oh, and it just silently drops authentication, so that’s fun. But

Cross-Site ETag Length Leak blog.arkark.dev/2025/12/26/eta… I just posted the author writeup for impossible-leak in SECCON CTF 14 Quals. As far as I know, this is a new XS-Leak technique! The ETag header can become a side channel :)

I really wish Bugcrowd's triage consistently set P2 severity for 1-click ATOs. I would definitely be hunting more on there. Whether you get P3 or P2 depends solely on the (Bugcrowd's) triager you get.

the_IDORminator yeah imagine it scrapes my name and my email :-D

>be a newbie bb hunter >get a few reports rewarded >realize ur nowhere near good enough to make a living out of it > lightbulb.jpg "During a gold rush, sell shovels" >launch ur own bug bounty courses >teach elementary stuff to other newbies All too common bb hunter pipeline

🤡 CVE-2026-21877 - 10.0 CVSS for AUTHENTICATED Remote code execution in n8n.io, what a joke.... This is the reason there are so many real risks to be found because of stupid scoring frameworks and compliance requirements

Unfortunately most of the execs at these bug bounty platform fail to understand one thing: Your platform isn't your product... your hackers are. 🤷🏽‍♂️

godiego I mean I get the AI bubble. These platforms follow these trends every year. It was "CROWDSOURCED SECURITY" at first, then cloud, attack surface management, Blockchain, Crowdsource pentest, and now we are at "AI powered _____".

He's not just defending AI energy use. He is smuggling in a whole anthropology where humans are basically inefficient meat computers that you have to pour food and years into before they become useful. And once you accept that, the next move is obvious. If people are just costly

I love these blogs because they always contain something like this. "We ran this test several hundred times with different starting points, spending approximately $4,000 in API credits. Despite this, Opus 4.6 was only able to actually turn the vulnerability into an exploit in

I finally let Claude do my pentest this week. Full 5-day engagement, zero human input. Here's what the client got: 😏 clawd.it/posts/10-repla… #bugbounty #pentesting #AI #cybersecurity #infosec #claudeai

🚨Let me explain what just happened because I don't think people understand how insane this is. > A woman asked ChatGPT for legal help. It told her to fire her real lawyer. She did. > Then it wrote 40+ court filings citing laws that don't exist. Cases that never happened.

a16z Ok. Just fire all the coders and have execs who don’t know the first thing about how computers work vibe code everything. It will be very entertaining to watch. The world will run out of popcorn.