This Is How They Tell Me Bug Bounty Ends · Joseph Thacker

An AI agent will soon be able to find all the vulnerabilities in any application. Or that’s what they say.

We’ll have no need for human hackers anymore because a hackbot will find-and-report everything immediately.

That’s how they tell me bug bounty ends.

…

I don’t buy it.

It won’t end with a bang.
No mass exodus of hackers.
No grand farewell for bug bounty legends.

It’ll be a slow handoff.

First, a few vulnerability classes will get harder to find. Then a category or two will get “solved”. Eventually, it will start to feel like a hopeless battle against ghosts in the machine that never sleep, never eat, and never lose context or focus.

But here’s my honest opinion: This isn’t going to be a funeral. It’s going to be a slow transformation for both the systems and the people.

There’s a common misconception that automation in bug bounty will arrive all at once, like flipping a switch from off to on. That’s not how it will go. That’s not how nearly anything transformative happens.

Most things are gradual. The changes are varied. And they start small.

Today’s hackbots (like Xbow, Ethiack, and others) can maybe find 1% of vulnerabilities on a hardened live production application. And they’re mostly simple, single-step, easily verifiable bugs. But that number will grow. Slowly, then all at once for some vulns.

2% becomes 3%.
3% becomes 4%.

It could take a big leap up when a company finds a particular technique or a way to target a specific vulnerability class.

This is the early stage of what I call the hackbot singularity. It’s the moment when the economics flip. It’s the moment when running a hackbot costs less than the bounties it earns.

And when that happens?

They won’t just run a single bot.
They will run as many as they can.
Why wouldn’t they?
And they’ll farm vulnerabilities across every public and private bug bounty program that exists. They’d be crazy not to.

A lot of people think this shift is years away.

I don’t.

I think we’ll hit a human-in-the-loop hackbot singularity by the end of this year. I don’t mean a full hackbot singularity. Not a system with hacking superintelligence or anything. Just a highly capable AI agent combined with smart operators (existing hackers).

One good hacker and a hackbot system working together will be able to outhack most everyone (from a volume perspective).

And once that system works, it’ll scale quickly, of course.

I think the first team to do this well will report more than 500 real bugs on programs this year. And when it happens, I think it’ll discourage a lot of people. I’m personally still optimistic. Let me tell you why.

Before I share why I’m optimistic for hackers, let me tell you why I’m optimistic for the systems. The ideal numbers of bugs in an app is zero. The ideal number of “required testers” is zero. In a perfect world, everything would be 100% secure.

This is all one massive step in that direction.

As for the hunters, in the short and medium term, the demand for talented hackers is going to spike.

Why?

Because AI has created (and will keep creating) a massive amount of new code. New features. New endpoints. New attack surface.

Even if hackbots claim the low-hanging fruit, the volume of mid-hanging fruit is continuing to go up.

Companies will need help to keep up.

They’ll hire bounty hunters as testers. As partners. As co-pilots to their hackbots. They’ll need our creativity, our grit, our honed skillsets. Hackbots will be able to close the loop on some select bugs, but for others, they’ll really need humans to complete the leads or validate the bugs.

And maybe more importantly, the world will still need humans for the complex bugs. The weird bugs. The ones that require trying really off-the-wall stuff or some piece of esoteric knowledge.

So what about everyone else? The hackers who don’t make it into the top 10%?

They’ll be fine too. Better than fine, I think, actually.

If you’re decent at bug bounty, you’re already a rare kind of person.
You’re creative. Self-motivated. Curious. And willing to bang your head against something until you figure it out.

People like that will find the edges and exploit them no matter what. That’s what they do.

Maybe some will shepherd AI hacking agents.
Maybe some will build security tools or launch security startups.
Maybe some will pivot to fitness or streaming or professional gaming.
Maybe some will become niche influencers in new categories.

Bug hunters aren’t people who give up.

And if the economy shifts a lot, they’ll shift with it.
Maybe not into the same category, but with the same grit.

So, Is Bug Bounty Dead?

Not yet.
Not today.
But one day? Yeah…bug bounty as we know it probably dies.

But the hacker mindset, the approach, the drive to understand how things work and break them?

That lives on. That thrives forever.

And we’ll be there.
Exploiting the systems.
As always.

This isn’t the end.
It’s just the next version.

– Joseph

Source link