There’s been some discourse on hacking with AI lately, so I’ll throw my own 2c into the mix. Yes, you will fall behind if you don’t adopt AI for hacking as soon as possible. No, this will not kill bug bounty, and various complex sub-disciplines of hacking will be safe because they’re too specialised. Yes, organisations that don’t accommodate for the increase in valid submissions / findings as a result of AI will be in trouble. Those are my thoughts. Opus 4.6 is much better than people think. The frontier models like 4.6 are way further ahead than most people realise, even those who dabble with AI occasionally.

Adding on to this, bug bounty is going to look very different in the next one to two years. It will be more lucrative than ever if you’re established in the space and know how to find bugs. If you’re a beginner or you’re trying to establish a foothold, it’ll be harder than ever to break into bug bounty. The bar of “low hanging fruit” will rise to “medium hanging fruit”. The one thing that doesn’t change is that if you’re a motivated individual who can think critically, you’ll be fine.

I have greater concerns about the core bug bounty platforms as a whole. Both HackerOne and Bugcrowd have new leadership and some notable figures involved with the community on both sides have left in the last few years. Both platforms are pushing their pentesting offerings more heavily, as they are obviously more profitable. Will their boards prioritise profits over supporting the researcher community?

There’s probably room to undercut these platforms by creating a ticketing and payments system, but allowing programs to hire their own triagers or use managed triage services from other sources more easily. Since bug bounty is quite expensive to run on the existing platforms, I could see companies moving to this hypothetical new platform quite quickly if they can find triagers. I’m not going to build this thing, and these are just my thoughts on the matter. But maybe this will give one of you readers some ideas. One thing is for sure, the nature of bug bounty is changing, and the platforms are adapting. If you don’t adapt too, you’ll get left behind.

I connected my Claude Code (running on a VPS) to a Discord bot I vibecoded, so now I use Discord to manage projects. It needs work, but it’s cool. It’s a start.

We’ll be publishing another Starstrike blog soon - the only blocker is just that I’m really busy with travel right now. But soon! Soon. And after that, we have a really really cool blog post coming.

Can a Predicted window.open Target Really Be That Impactful?: Yes, it can.

vinext: Vibe-Hacking Cloudflare's Vibe-Coded Next.js Replacement: Nice article on Cloudflare’s slopware having bugs in it.

Turning Almost Nothing into a Supply Chain Compromise of Angular with GitHub Actions Cache Poisoning: Adnan Khan, Github Actions hacking extraordinaire, compromised Angular’s main repository.

Hijacking the Channel: Zero-Click Account Takeover via MessagePort Injection: Really cool client-side bug on MessagePorts, which are often overlooked, and quite common in Chrome extensions.

Persistent XSS/RCE using WebSockets in Storybook’s dev server: Some very clever attacks here. Stuff I haven’t really thought about before.