The Bug Bounty Singularity: Our Hackbot

wslh1 pts0 comments

The Bug Bounty Singularity: Our Hackbot · Joseph Thacker

© 2026 rez0.

01 Jul 2026

•

hacking

This past December, it became feasible for any skilled hacker to scale up a hacking agent, spending hundreds in token cost to find thousands in bounties. I call this the “Bug Bounty Singularity”. This is the story of JD (xssdoctor) and I building a hackbot which found 126 bugs in the last 5 months.

If you want to just read about the bugs, you can jump straight to the bugs.

Table of Contents

The Story (written by JD)<br>The Prototype

Hackbot rule # 1

Keep Hacking!

Validation

Stay Logged In

Real Talk

THE BUGZ<br>An Overview of the Findings

Vulnerability Research Portfolio<br>Critical — Full Partner Platform Takeover

Critical — Western Union API Leaks all Customers’ Data

Critical — Full Partner Platform Account Takeover via OTP Hash Leak

Critical — Stored XSS on raydium.io → Wallet Drain Primitive on Every Solana User

MOST OF THE OTHER BUGS

Found by Autonomous Cyber’s “FUZZ E” agent — single overnight run

The Story (written by JD)

The discord message came in at 6:10am:

rez0: Want to build a hackbot?

It wasn’t unusual for rez0 to message me at 6am. These days, we were talking to each other a lot throughout the day. It was a good fit. I liked to go deep into a target, pouring over the javascript and learning the mechanics of the app. Alternatively, rez0 tended “go wide”, finding niche or overlooked attack surfaces that most people would scroll right past, chaining together weird behaviors and forgotten endpoints. What brought us together was our love of AI.

Our conversations mostly revolved around Claude Code skills that we had written, or bugs that we had found using our agents. I generally pointed my agents at minified javascript. My skills were based on source-to-sink analysis, client side paths and feature flags. Rez0 created incredible skills for fuzzing, subdomain enumeration, and idor testing.

Claude 4.6 changed everything. Until then, the agents were being used to accelerate our workflow. But suddenly, they were finding bugs independently. We would point the agent at a target, load our skills and real bugs would pop out . The question was no longer whether the agents could help us hack. The question was whether they could replace entire parts of our workflow and how cost effective would it be.

The most important decision that we make as bug bounty hunters is how to spend our time . Do we “go deep” and spend hours or days understanding the mechanics of the application or should we “go wide”, spending weeks or months coding and maintaining an automation framework? Every minute spent on recon is a minute not spent hacking.

But unlike humans, AI agents don’t get tired or bored. AI agents don’t have to sleep or eat. They don’t procrastinate by watching 5 hours of minecraft videos on youtube (editor Joseph here: stop calling me out JD). Rez0’s idea was simple: make an automation framework which continually does wide scope recon and then goes deep into every target.

The discord message came in at 6:11am:

Xssdoctor: Lets build a freaking hackbot!

The Prototype

Day 1: 9:11am

xssdoctor: This is going to be easy

It was not easy.

At first, the idea sounded almost trivial. We had each spent the past year building Claude Code skills and finding great bugs. rez0’s skills focused on server-side bugs and wide-scope recon. Mine were designed for deep application analysis and client side vulnerabilities.

Individually, the skills were already useful. We used them to accelerate our own workflows. The plan was to merge them into a single autonomous system: a hackbot capable of performing broad recon and deep analysis at the same time.

The architecture seemed straightforward enough. The bot would live in the cloud. We would feed it a list of bug bounty targets, and it would continuously work through them one-by-one, loading different skills depending on what it found. Recon skills would map the attack surface. Analysis skills would inspect the application logic. Additional agents could validate findings, chain bugs together and write reports automatically.

Of course, since we were incapable of doing anything halfway, we immediately started thinking about dashboards, beautiful dashboards, Claude-generated dashboards. Dashboards which looked like this.

The dashboard, in all its Claude-generated glory.

Within three hours, we had prompted into existence queues, telemetry, logs, bug tracking, severity scoring and agent orchestration. We were up and running.

Eight hours later, reality hit

Hackbot rule # 1

We woke up to a dashboard full of bug reports and a quarter of our tokens gone. For a few seconds, it felt like success. Then we started reading the reports.

The first bug was a self-xss. The second was a CORS misconfiguration that wasn’t exploitable. Then came a “critical RCE” that turned out to be complete nonsense. One after another, the findings collapsed under even minimal scrutiny....

bugs skills hackbot rez0 agents bounty

Related Articles