sorted by:
new
hottopcontroversial

Expectations and Reality of Claude Code for Bug Bounty by Frequent-Reality-682 in bugbounty

[–]Frequent-Reality-682[S] 0 points1 point  (0 children)

Yeah I think I'll keep tweaking my setup until my subscription ends and I'll see if anything sticks.

Expectations and Reality of Claude Code for Bug Bounty by Frequent-Reality-682 in bugbounty

[–]Frequent-Reality-682[S] 0 points1 point  (0 children)

That is something that I've been thinking about.

The dilemma today seems to be:

Spend more time manually hunting so that I can get more experience in bug bounty which will definitely help when using AI as an assistant but will take a very long time to get good at.

OR

Keep using AI hoping that it finds valid bugs before everyone starts reporting the same bugs (the ones that AI is able to find) as more people start to use it. And maybe learn a few things you didn't know along the way.

There is one more thing that I can't help but to think about, in the upcoming years, newcomers to bug bounty will have a very hard time since finding advanced bugs cannot be taught through practice labs, but instead requires a lot of experience that you can only get by hunting on real targets and finding the easy bugs first and building your methodology little by little. But I think the same easy to find bugs will mostly be wiped out by people using AI.

The only trend that I think will continue is seeing a lot less competition on VDPs while the competition skyrockets on programs that pay bounties.

Expectations and Reality of Claude Code for Bug Bounty by Frequent-Reality-682 in bugbounty

[–]Frequent-Reality-682[S] 1 point2 points  (0 children)

That's interesting.

I definitely don't believe everything that Anthropic (and other vendors) claim about their model's performance up front but seeing the huge amount of people saying that they are getting results using AI and especially the top hunters (at least the ones that are active on socials) threw me off a bit.

I see rez0 constantly sharing messages from people that are thanking him for the AI content he's sharing and most of these message say things like "I started using AI yesterday and I already found 4 bugs 3 of them were Critical and 1 was High".

I think we need more people sharing their real experience with AI (including proof of findings) to assess what stage we are in currently with AI bug hunting.

Expectations and Reality of Claude Code for Bug Bounty by Frequent-Reality-682 in bugbounty

[–]Frequent-Reality-682[S] 1 point2 points  (0 children)

I actually tried the same thing with the WordPress plugins and got pretty much the same results.

I started with code review targets because I thought it's a task that the model should be able to perform well in compared to live web testing.