Both are true, the difference is the skill level of the people who use / create programs to coordinate LLMs to generate those reports.
The AI slop you see on curl's bug bounty program[1] (mostly) comes from people who are not hackers in the first place.
In the contrary persons like the author are obviously skilled in security research and will definitely send valid bugs.
Same can be said for people in my space who do build LLM-driven exploit development. In the US Xbow hired quite some skilled researchers [2] had some promising development for instance.
I am a Burp guy, but lately Caido[1] has been trending, pretty lightweight and can be ran in headless mode. It's still very security-oriented (as Burp Suite is), but might be worth your time, notably as you can run it on a VPS/container to proxy all your traffic through it (which is by-design, contrary to my beloved burp/zap)
Pretty stoked for this model. Building a lot with "mixture of agents" / mix of models and Gemini's smaller models do feel really versatile in my opinion.
Hoping that the local ones keep progressively up (gemma-line)
I did have a similar need. Built it around discord as a bot that would parse links and the various filetypes associated (github repos, tweets, blog posts, pdfs...) to both archive the content and extract some quality metrics / insights.
I'd say that summarizing only is a bit sad since you go away from the actual substance, but at least it helps targeting what you actually want to spend time digging into. Still a bit worried about where we are going to end up if we only read recaps of recaps of recaps (reminds of me of Fahrenheit 451 when the main character talks of books being abridged, then people reading recaps of these recaps)
Depends on your hobbies. I'm into cybsec, there's a ton of small events where you can either be on stage (so submit a proposal), but there is often what we call "rumps" which are usually unplanned 5 minutes talks about a subject. They're a great way to practice.
Besides that, i guess schools/student groups that seek professionals. Non-profits works as well, I did that when I was younger (advocacy).
I often tend to integrate talking passionately about a topic in my head with an imaginary interlocutor. While not directly being a rehearsal in itself, it really helps with developing ideas and chaining concepts - at least for me.
I guess everyone is different in regards to handling the pressure when talking in public, but I do agree that you can feel it, most of the time, when someone rehearsed too "scholarly".
Looks very cool. Wondering what the client-side security researchers will be able to find with that. A friend of mine is developping DomLoggerpp [1] notably to monitor and debug JavaScript sinks.
Interesting. Quick question in regards to the code generation : Do you dump the DOM to provide relevant context to build the automation or does the agent automatically tries to discover relevant segments (like a claude code) ?
Edit : Answered in the video, dump of a simplified version of the DOM. How is the discovery of the rest is performed ?
Super nice, can really see the use cases, even for security testing.
I'd say the most important part is to have a low-friction tool that fits within an individual's workflow. I like their tool, but i do agree on my side that a Notion with collapsible toggles works better for me, right now (alongside a nice cmd+k to teleport to the right pages)
The AI slop you see on curl's bug bounty program[1] (mostly) comes from people who are not hackers in the first place.
In the contrary persons like the author are obviously skilled in security research and will definitely send valid bugs.
Same can be said for people in my space who do build LLM-driven exploit development. In the US Xbow hired quite some skilled researchers [2] had some promising development for instance.
[1] https://hackerone.com/curl/hacktivity [2] https://xbow.com/about