If you run a Bug Bounty program (or platform) now might be a good time for you to publish the average time to triage for various issue severities. There are a _lot_ of disgruntled hackers out there at the moment who are waiting weeks / months for a program to even perform a first look at a report!

Bug Bounty is remotely debugging last year's unreliable n-day using last week's reliable n-day... which I can't report because the vendor needs "time to patch." 🤦

Heading to OffensiveCON this week? Thank you for coming to my talk... claude.ai/share/227b48...

Well this is depressing.

If you would like to see a preview of @jameskettle.com's Blackhat talk "the HTTP terminator" then check out this interview my colleague @jameswilson.io recorded with him. Some pretty freaky stuff! VIDEO: www.youtube.com/watch?v=GdFG... AUDIO: risky.biz/RBNEWSSI126/

2026 and Bug Bounty triage is broken. This has on the horizon for years, even without LLM pressure, but it still seems to have caught _every_ major platform and large private program by surprise.

I'm thrilled to announce "Can AI Do Novel Security Research? Meet the HTTP Terminator" will premiere at Black Hat USA! Check out the abstract: blackhat.com/us-26/briefi...

👏 @intigriti.com

The VSCode remote editor function has really gone to crap recently. Any form of linting is just spinning server CPU at 100% and OOM killing random processes. Going to have to go back to filesystem monitoring and rsync at this rate.

When reviewing pull requests with new additions for CSPBypass.com, I often find myself questioning how useful a given entry actually is. If no websites whitelist a specific host, there is little point in adding it.

Every bug hunter / vulnerability researcher / pentester should have to write their own blind or timing based SQL injection tool. It's like a rite of passage, if you've taken the time to understand and produce your own you'll probably make it in this world, if not 😬 x.com/slonser_/sta...

Last BSidesNYC I sat behind a guy doing the CTF with ChatGPT. Ctrl-a paste page source and a screenshot, hit enter, repeat. User totally not reading the output. LLM got the flag (flappybird-style JS challenge) after maybe ten rounds of this. Last message dude sent in the session was "We did it!".

This post on LLM use in CTFs sums up my feelings on the subject nicely. vt.social/@lina/116198... When simply directing LLMs for development / security research / CTFs it's quick, often accurate, often useful, but I don't inherently learn anything other than how to direct the LLM.

What I'm waiting for: Email updates to 5 separate Bug Bounty reports What I get: Email notifications of 3 year old reports being closed 😭

Same.

If you are selling a mirror and your ad creative includes images of the product with impossible reflections, I'm going to have to go ahead and assume your product doesn't work very well!

I'm sympathetic to corporate policy "patch gaps", but when it's framed as "acceptable exploitation window" it hits on a different level 🤔

Dad’s books are full of empathy, common sense, and a healthy suspicion of the powerful. But at its heart his work is also about how systems keep people poor while pretending it’s their own fault. So I hope Kemi’s taking notes as well as reading the jokes.

An in depth summary of the consequence of Google VRP increasing bounties in 2024. "We observe statistically significant increases in the reporting of high-value bugs, especially in the highest impact tiers and high merit submissions." 🔥 arxiv.org/abs/2509.16655

An in depth summary of the consequence of Google VRP increasing bounties in 2024. "We observe statistically significant increases in the reporting of high-value bugs, especially in the highest impact tiers and high merit submissions." 🔥 arxiv.org/abs/2509.16655

The new favourite fidget toy on my desk is the Zippo lighter I've had since I was a teenager. There is something about the noise of the cap flipping open and flint sparking. This has replaced the ever popular poker chips. Needless to say, I am not a great example for my kids 😬

Hackers tops the list of films that have influenced my life. Without seeing this film as a young teen I may not have misspent my youth in front of a computer trying to understand how it all worked. Which, despite what my parents suggested at the time, seems to have worked out well for me 😆

That feeling when you finally read that blog post you've had open in a browser tab for 3 months, and it's complete garbage 😑

It's been another year since my wife and I lost our first daughter Chloë. She would have been 7 today. With each passing year I can't help but think about what her life would have been like, what our life would have been like, had she been given a chance. I love her so much, but don't even know her.

This jaw dropping write-up of an LLM solving a DEF CON CTF challenge(!) with minimal human interaction 🤯 It seems like "vibe-reversing" is becoming a viable option now...

There is something quite depressing about many of the advertised agentic AI use cases being posting "viral" content to social media. It stinks of one person assuming their time is inherently worth more than everyone else.

I've said it before and I'll say it again, Windows 11 is _such_ a hostile user experience, it's like they've actively tried to make it unpleasant to use 😑

Can Bluesky say every word in the dictionary? I dunno but I plan to find out! I made a website that tracks every single word said on bluesky (as of yesterday).

The whitepaper is live! Learn how to win the HTTP desync endgame... and why HTTP/1.1 needs to die: http1mustdie.com

We released our Fuzzilli-based V8 Sandbox fuzzer: github.com/googleprojec... It explores the heap to find interesting objects and corrupts them in a deterministic way using V8's memory corruption API. Happy fuzzing!

I presented my magnum opus in 2014 and have been in steady decline ever since.

There are bad security takes, and then there is @daniel.haxx.se attempting to shame @jameskettle.com for not "responsibly disclosing" a vulnerability to the curl project that doesn't affect the curl project... and _then_ complaining the details are being kept "secret" :facepalm:

I presented my magnum opus in 2014 and have been in steady decline ever since.

There are bad security takes, and then there is @daniel.haxx.se attempting to shame @jameskettle.com for not "responsibly disclosing" a vulnerability to the curl project that doesn't affect the curl project... and _then_ complaining the details are being kept "secret" :facepalm:

After the intense focus of Live Hacking Events, I often find myself at quite a deep emotional low point. The highs of the event fade, focus needs to completely shift to other, usually less valuable, targets. I find these events hugely rewarding, but need to remember to be kind to myself after them.

If you have a machine with PKEY support and somewhat recent Linux kernel you can now play around with hardware support for the V8 sandbox. When active, JS + Wasm code has no write permissions outside the sandbox address space. To enable, simply set `v8_enable_sandbox_hardware_support = true`.

Famous last words: > This just leads to weird behavior, not a vulnerability

Today was my last day as a pentester at Bsecure. After a three-year journey of hunting on the side, I’m ready to go all-in as a full-time bug bounty hunter. You can read about my journey from pentester to full-time hunter here: gelu.chat/posts/from-p...

Yesterday I discovered it's theoretically possible to create an ASCII Jar file, one where each byte of the file is a valid ASCII character. Today I'm trying to create one. Sometimes I regret my impulses.

I often find when explaining complex exploits that it can appear like such an unlikely event that the exploitable steps exist. In reality it's just _this_ is the particular set of unlikely steps I found. I'm sure there are others, but I stopped looking after these steps were successful 🤔

I love it when I answer my own questions

I've recently reported a bug that was _caused_ by patching. If the old version of the library was left unpatched it wouldn't have been vulnerable 🫣 Remember folks, don't patch your dependencies... or do... or you are damned either way 🤷‍♂️

At 33,500,000,000 hashes / second, it'll only take *checks calculator* 17.5 years and $115,000 for an exhaustive search... I might need to rethink this 🤔

I'm currently at the "Is it worth it to rent some cloud GPUs in order to attempt to bruteforce a hash" stage of bug hunting 😬

CVE-2025-5419 ITW Chrome exploit mitigated in 1(!) day after report to all users without requiring a browser update 🤯 I hand't read up on the Finch Kill Switch before, such a powerful exploit mitigation feature from the Chrome team! developer.chrome.com/docs/web-pla...

The recording of my recent AMA with the Burp Suite Discord community has just landed on YouTube! 40 minutes of unscripted Q&A on security research, AI, and Burp Suite: youtu.be/mgmUZ9odkvU

For those who missed it, check out my talk, “Widgets Gone Wild: Exploiting XSS through Flawed postMessage Origin Checks.” 📺 Watch here: www.youtube.com/watch?v=qgB0... 🖥️ Follow along with the slides: 0-a.nl/nahamcon/

The slides and examples for my talk "Widgets Gone Wild: Exploiting XSS Through Flawed postMessage Origin Checks" at NahamCon can be found here: 0-a.nl/nahamcon/

If you’re into bug bounty hunting and like finding weird XSS bugs (like me 😊) in places most people overlook, come check out my talk at NahamCon 2025 this Friday, May 23. "Widgets Gone Wild: Exploiting XSS Through Flawed postMessage Checks"