Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The author of this post is a full-time bug bounty hunter. In the past, they would always share their findings. The ideas were cheap because execution is where the difficulty was at. You really only help a small number of people with a post because only so many people can reasonably execute it.

With AI, this has completely changed. AI is there to fill the gap. Execution is no longer as much of a bottleneck as it used to be.

Recently, their research led to them to a very specific vulnerability. They had AI pointed at the target but it found nothing. When they gave the very specific issue to the AI, it found multiple similar issues. The idea was where the money was at, NOT the execution in finding the issue.

What does this mean practically? If knowledge is money, then you're less likely to post things publicly. At least, not until you've wrung the towel dry. I don't like this path forward, since I learn so much from reading. But, I get it.

The other point mentioned is that the beginner is not very far from the expert in execution. Previously, deminimifying JS was a key skill that took years to develop. The complex setup process for a project was difficult. Now, these and many others are just a prompt away from solving.

As a manual bug bounty hunter, they believe there are two paths forward. One is to focus specifically on a large program and learn everything you possibly can about it. The other option is to use cutting-edge research that the AI doesn't know about to stay ahead of it. The former seems slightly easier to do, but there are only so many bugs to find. Personally, I think the latter will be the way forward.