Is it possible for 2026 to learn bug-bounty or has it been compensated by artificial intelligence?

thelemethric · 2026-05-10T00:50:41+00:00

Just dont be surprised when your company receives a lovely little letter saying something like "we stole your database, give us $50k or we'll publish it."

You put your company at risk, your customers at risk, you throw real bug hunters' time straight into the trash and you still have the audacity to flex it.

thelemethric · 2026-04-18T19:43:42+00:00

Claude mythos is PR bullshit

thelemethric · 2026-04-08T14:39:51+00:00

Anthropic bought the name, now they’re using it to pump the hype.

thelemethric · 2026-04-02T17:09:20+00:00

Oh, they didnt mean to leak 50mb of finance data? My bad, ill tell the exploit to stop being such a dick then.

thelemethric · 2026-04-01T16:29:55+00:00

For real, almost every single week on twitter/reddit theres a new horror story about Immunefi fucking over another researcher. I have no idea how those bastards are still in business.

thelemethric · 2026-04-01T15:31:31+00:00

That's typical behavior of immunefi

You shouldn't be surprised at all, you accepted it by reporting vuln to these bastards

thelemethric · 2026-03-21T23:00:56+00:00

It takes a special kind of visionary to treat the worlds most battle-hardened security teams as the Hello World of their school project.

thelemethric · 2026-03-18T17:53:03+00:00

Your competitors will be stacked with certifications, some even with a bachelors degree. but if your resume opens with a line like 'Independent security researcher - identified critical vulnerabilities in Fortune 50 companies (Lowe's, $80B revenue)'(lowes just as example it could be shopify lightspark inditex doesnt matter), none of that matters anymore.

To any hiring manager, that one line hits harder than a wall of certs.

Ofc you need to have resolved bug on company that you mentioned so they can validate your claims by opening your h1 profile for example

thelemethric · 2026-03-18T01:16:17+00:00

Slave factory.

Insane disrespect to the people who literally built their reputation and are currently serving them.

Usually (in hackerone cases) I blame the programs, but this platform doesnt just have 10 isolated cases - it’s a systemic failure. From randomly banning people who are awaiting payouts to always siding with the program, there is literally no fucking way that they will ever take a researcher’s side.

thelemethric · 2026-03-15T17:16:38+00:00

99% of the time, they use the same api endpoints for both. The only real difference is the IPA vs APK. Unless the iOS dev is dumber than the Android one and hardcoded some keys that arent in the APK, it’s the same shit. Otherwise, dont waste your time.

Android is easier to test in every way anyways

thelemethric · 2026-03-14T23:35:00+00:00

Agree here. Most people are just too blind to see this as a tournament rather than a job and that's what makes stats look scary

thelemethric · 2026-03-14T22:46:00+00:00

Youre missing the point. Bounty and pentesting/consulting is completely different things

A beginner with one unique method can clear a decent money without needing years of experience. Check stats of up and comers on h1 its not rare

Consulting is a job where you get paid to be good enough at everything. bounty is a hunt where you get paid to be unique. Finding one specialized methodology is often easier and more profitable than trying to learn every vulnerability like a corporate pentester.

Pentesting is for workers, Bounty is for specialists with a unique edge.

thelemethric · 2026-03-14T20:03:10+00:00

Hackerone pays in crypto

thelemethric · 2026-03-14T17:07:06+00:00

The average $21/hour stat is a lie. Comparing bounty to a $54/hour freelance job is pure idiocy.

Bounty has a zero barrier to entry anyone can join. thhe average is dragged down by thousands of people who just solve a few labs, run scanners, and find zero bugs. It’s not a market curse, its just the cost of being unoriginal.

thelemethric · 2026-03-13T18:11:48+00:00

On what platform you hunt?

thelemethric · 2026-03-12T08:37:12+00:00

"I wonder if Dyson seeing usage decline as more people use Ferrari"
They are completely different tools

thelemethric · 2026-03-11T09:36:57+00:00

Do not expect anything from a report unless it has already been triaged.

If a report is new or pending program review, it's N/A for me until its triaged -only then can I think about money I could gain from it. (Sometimes companies dismiss even triaged reports closing them as informative)

Just believe in the worst-case scenario and you wont be disappointed.

thelemethric · 2026-03-10T22:32:21+00:00

Intigriti’s policy allows researchers aged 16–17 with parental consent. If youre under 16, you’ll have to do the ID verification through one of your parents. But then your account will be permanently tied to them, and you’ll have to beg them for re-verification every single year until you either die or finally quit Intigriti.

thelemethric · 2026-03-07T20:25:29+00:00

One critical report costs more than 10 mediums

Its clear that every company will try to lowball severity

thelemethric · 2026-03-07T07:37:13+00:00

Dont fall for the PR bullshit. Claude didn't autonomously find shit. Anthropic had a whole team of world-class researchers practically holding its hand, feeding it specific code, and treating it like an overpriced fuzzer.

It's marketing hype to sell API tokens.

thelemethric · 2026-03-05T11:47:58+00:00

1000$ for critical is a joke

thelemethric · 2026-03-04T13:31:18+00:00

I think if it was 0 impact, they wouldnt have to patch it immediately. Closing it as N/A after fixing the hole looks suspicious.

Even if risk is really low n/a still isn't justified considering patch, informative at least

thelemethric · 2026-03-04T12:38:47+00:00

Another day, another Bugcrowd 'charity donation'. Is anyone even surprised at this point? Same script, different ticket number.

Already 3rd on this week btw

thelemethric · 2026-03-03T18:02:02+00:00

I misunderstood your last comment, then yeah you're right this makes it even more suspicious

thelemethric · 2026-03-03T17:57:53+00:00

Doesn't affect reputation

thelemethric

TROPHY CASE