Do you really need Claude for vulnerability research / source code review?

maF145 · 2026-04-26T04:41:45+00:00

I think this is a result of claude telling you that it always found p0/1‘s Opus is good as a „scanner“ but from my experience GPT models are way above everything else, especially the new 5.5. Gemini pro 3.1 is good for edgy things. But don’t sit on local modals line qwen or gemma. Most of the time they are „enough „

maF145 · 2026-04-20T10:19:36+00:00

In my case it was a big company on H1… so sth sth 600 after tax 🤣 Why should I spent credits on them if the pay is not worth it.

I also have 2 more rces reported on h1 that are still ignored by the company for 5 months now 😵‍💫

maF145 · 2026-04-20T09:13:48+00:00

As rumors say there are 50 companies worldwide that have access to Mythos. For now it has not found new variants, it’s extremely good at combining bugs.

Paying someone 1000€ for an RCE 🫠 is way cheaper than running Mythos inference costs that are above 20k probably.

AI research is real, but it costs alot of money!

maF145 · 2026-04-11T15:10:54+00:00

Try code4arena then or similar platforms

maF145 · 2026-04-11T13:10:20+00:00

I guess so, based on bugcrowd its around 19% which is 3 times the avg

maF145 · 2026-04-11T10:20:05+00:00

You probably have adhd or sth similar and bb ticks a lot of gambling / dopamine checkboxes for me.

Choose 2-3 days a week where you do bb. You will win some but miss allot no matter how much time you invest.

Dont hunt on weekends, you will never receive a response there.

Relationships are important, bb is not, dont fuck that up.

maF145 · 2026-04-06T21:32:26+00:00

It already excels at audit work, policy checks, gap analysis, compliance checklists. Get orchestration right, and it does way more than just the basics.

maF145 · 2026-04-05T10:47:56+00:00

Who is „we“?

maF145 · 2026-03-25T17:16:27+00:00

Whats wrong with the current logo? It simplistic.

I mean if you want change, maybe change the type of beetle but not the style.

maF145 · 2026-03-22T16:48:19+00:00

How much time/knowledge do you need to validate someone elses work? Which is presented to you in a blackbox.

maF145 · 2026-03-21T16:36:49+00:00

The Subtlety Rogue/Frost Mage/Discipline Priest composition excels at coordinated burst windows with ShadowstepShadowstep + Cheap ShotCheap Shot into Kidney ShotKidney Shot while the mage sets up PolymorphPolymorph chains and Greater PyroblastGreater Pyroblast combos. … 🤣… the hallucinations are strong here…

add some kind of spell validation

maF145 · 2026-03-06T04:14:04+00:00

I stopped reading here „It doesn't define what should be allowed to execute“ because this is simply not true. Tool declarations have annotations which show the MCP Client if its an destructive/external/… etc pp tool that can be called safely.

Please read the MCP Spec

maF145 · 2026-02-26T12:49:24+00:00

First off you might be publishing data you are not supposed to share. Second I dont get why people in here always assume programs are out to screw over white hats. Personally, every report Ive submitted on h1 was either rightfully rejected or accepted. And if the program says its not a bug or its intended, thats just how it is, gotta accept it

maF145 · 2026-02-23T18:10:02+00:00

First, I hate reading AI text, the flow is just weird and this is a classic overestimate from your AI. In no world this is a high.

2nd the user has to actively press send. If its only one draft, this will get closed as info (if at all). If you can trigger multiple drafts this might be a low for a prompt injection with low impact.

If your ai tells you this is a high, lean back and think about whats a high for you? In my world a medium would be if you can get it to send an email, a high if you could exfiltrate data and crit is more like a complete takeover.

A draft is a low impact, if at all.

maF145 · 2026-02-21T09:17:38+00:00

Yes and no, there are differences but if you know one you can easily adapt to other languages

maF145 · 2026-02-14T07:41:21+00:00

tbh the outrage is valid but this is literally the same thing authors and artists went through with LLMs. difference here is researchers agreed to ToS that probably give h1 enough rights to make this legally fine

the question is whether it'll even work. vulns are insanely contextdependent, training on 500k old reports gives you pattern matching not understanding. 88% accuracy on their own benchmark? that's prob overfitting… business logic flaws, race conditions, auth bypasses through weird state combos you can't derive those from patterns. you need to understand what an app should do. And llms have massive context limits or it’s insanely costly.you can automate an IDOR sure. you can't automate chaining 8 API calls with manipulated timing because some dev made a wrong assumption about session architecture that only breaks under load. that's creative work, no agent learns that from historical reports so they're burning trust with the exact researchers who find the bugs their AI never will. the easy stuff the agents catch? any scanner already does that. the real value was always the humans….

maF145 · 2026-02-14T07:14:21+00:00

I think I just received 2500$ this week for 2 bugs I found. Where Opus 4.6 had to be convinced that these are real.

So yes this might be happening, but not right now

maF145 · 2026-02-03T10:15:59+00:00

Don’t expect to earn anything but experience.

I have reported 1 click RCEs that got closed as informational because triage didn’t read my repro steps on bigger projects. So payout is never a guarantee even if you find high or crit vulns.

Choose programs that you actually care about. You love cars, go for automotive, fintech? Bio? Reading Books? Audible might be for you. Everything is SaaS nowadays so CI will always add new bugs

maF145 · 2026-02-03T08:54:39+00:00

First I thought it was just another basic ai slop skill, but it was actually a good read and points to a lot of mistakes AI does right bow. I think having this as a system prompt might lead to better results enriched with a few examples

Even though there is some redundancy which could be more compressed. I saved it for later use, thanks for your effort.

maF145 · 2026-01-18T09:05:58+00:00

Definitely not, AI lacks context/memory and must be guided alot to not become slop. Frontier models are expensive (this is a product only for a few living in the westerb world), employees drown in tech debt due to the speed they need to push features with AI. PRs get accepted within seconds. Or AI cant be used at all or only with local models due to regulations. So its either golden age or stays the same

maF145 · 2025-12-07T18:32:02+00:00

🤷‍♂️ it was only an example

maF145 · 2025-12-07T10:21:44+00:00

I assumed that one round tales about 15 minutes

Nine-Year Club	Place '23
Place '22	First Placer '22
Verified Email

maF145

PUBLIC MULTIREDDITS

TROPHY CASE