bug bounty will die. everyone i know is buidling hackbots on claude code. and they’re pretty good. all our bots will take away most of the bugs in the next few months. and then the companeis will start running thesse same things internally.
The math stops working once that happens. Right now you can make decent money finding XSS and IDORs because most security teams are understaffed and overwhelmed. But when a company can spin up an agent that costs $50/day to run and catches 80% of what humans find? They’re not paying you for that IDOR anymore. They already found it.
I’ve been doing this for six years. Made good money, learned a lot, met interesting people. But I’m not going to pretend the ground isn’t shifting under my feet.
Some people say “oh but the really complex chains, the business logic stuff, AI can’t do that.” They can. I’ve seen it lately.
They’re not as consistent as humans yet, but that’s a temporary problem. Every limitation people point to sounds exactly like the arguments we heard about AI and code generation two years ago. “It can only do simple functions.” “It doesn’t understand context.” “It makes too many mistakes.” Now Claude writes better code than half the developers I know.
The bugs that survive will be the weird ones. The stuff that requires understanding how a business actually operates, why a feature exists, what the developers were probably thinking when they built it. Machines can find the patterns we’ve already documented. They struggle with the patterns nobody’s named yet. But that’s a shrinking pool, and more people will be competing for it.
I’m not doom-posting here. I’m figuring out what comes next. Maybe it’s building the tools instead of using them. Maybe it’s moving into areas where human judgment still matters more than automated scanning. Maybe it’s something I haven’t thought of yet. The one thing I know for sure is that grinding on HackerOne reports the way I did in 2021 isn’t a five-year plan anymore. It’s barely a one-year plan.
What bugs me most is how few people in the community are talking about this openly. Everyone’s either in denial or quietly pivoting without saying anything. I get it. Nobody wants to announce that their income stream is dying. But the silence feels weird when we’re all watching the same demos and running the same experiments.
- Joseph
Sign up for my email list to know when I post more content like this. I also post my thoughts on Twitter/X.