

Critical Thinking - Bug Bounty Podcast
Justin Gardner (Rhynorater) & Joseph Thacker (Rez0)
A "by Hackers for Hackers" podcast focused on technical content ranging from bug bounty tips, to write-up explanations, to the latest hacking techniques.
Episodes
Mentioned books

Oct 2, 2025 • 55min
Episode 142: gr3pme's full-time hunting journey update, insane AI research, and some light news
Brandon, known as gr3pme, is an accomplished bug bounty hunter and AI security researcher who recently transitioned to full-time work and founded Murtasec. He shares insights on what going full-time means for his career and the unexpected opportunities it has presented. The conversation covers web vulnerabilities, including a notable $111,750 payout for a path traversal to RCE. They also delve into AI security tools, discussing the accuracy challenges with existing hackbots, and introduce innovative concepts like CVE Genie and PROMISQROUTE.

Sep 25, 2025 • 1h 24min
Episode 141: Hacking the Pod - Google Docs 0-day & React CreateElement Exploits with Nick Copi (7urb0)
Nick Copi, known as 7urb0, is a security researcher who specializes in client-side web hacking. He delves into an inefficient regex that crashed Google Docs and explores triggering modals in the application. Nick shares insights on React createElement exploitation, revealing how XSS can persist in Electron clients. He also discusses exploiting CSS injection vulnerabilities with FontLeak techniques. Throughout, he emphasizes the importance of community collaboration in advancing research and sharing effective hacking strategies.

Sep 18, 2025 • 58min
Episode 140: Crit Research Lab Update & Client-Side Tricks Galore
Discover the latest from the Crit Research Lab as experts unpack postMessage vulnerabilities and the intricacies of Cookie Chaos. Dive into the nuances of cross-origin request forgery, and learn about the latest AI-driven business logic bugs. The hosts share valuable insights for beginners in live hacking, covering everything from teamwork strategies to solo approaches at events. Plus, hear community stories that highlight innovative exploits and practical hunting techniques for effective web security.

41 snips
Sep 11, 2025 • 2h 22min
Episode 139: James Kettle - Pwning in Prod & How to do Web Security Research
James Kettle, Head of Research at PortSwigger and expert in web security, shares insights on critical vulnerabilities and innovations in the field. He discusses the complexities of HTTP, expressing why he believes HTTP/1.1 should be phased out. Kettle explores strategies to prevent burnout in research, emphasizing the balance between autonomy and team dynamics. The conversation also highlights the evolving role of AI in web security and the importance of clear objectives for effective vulnerability research.

Sep 4, 2025 • 23min
Episode 138: Caido Tools and Workflows
Discover innovative bug bounty tools and workflows, focusing on the intriguing new features of Caido. Learn about an exciting AI red teaming CTF from Hack the Box that pushes the boundaries of security challenges. A compelling case study reveals how optimized workflows can enhance user efficiency in finding vulnerabilities. Justin shares his favorite tools and methods, providing insights that every aspiring hacker will appreciate.

13 snips
Aug 28, 2025 • 49min
Episode 137: How We Do AI-Assisted Whitebox Review, New CSPT Gadgets, and Tools from SLCyber
Dive into the fascinating world of AI-assisted code reviews, where tools like Gemini enhance workflow and bolster security. The discussion reveals lucrative bounties in AI safety research, spotlighting companies like Anthropic and OpenAI. Discover innovative cybersecurity tools such as ch.at and Slice, designed to streamline bug bounty hunting. There's even a look at clever tactics like cache deception and WAF bypassing techniques, making this a must-listen for anyone in the hacking community!

Aug 21, 2025 • 51min
Episode 136: Hacking Cluely, AI Prod Sec, and How To Not Get Sued with Jack Cable
Jack Cable, founder of Corridor.dev and a former government cybersecurity expert, shares his insights on a significant bug in Cluely’s desktop application and the challenges of cybersecurity legislation. He explores the intersection of AI and application security, highlighting vulnerabilities and the potential of AI tools in software development. The conversation also delves into the legal risks facing ethical hackers, emphasizing the importance of obtaining permission and navigating complex laws like the Computer Fraud and Abuse Act. Jack's experiences illuminate both the opportunities and hurdles in the cybersecurity landscape.

Aug 14, 2025 • 1h 26min
Episode 135: Akamai's Ryan Barnett on WAFs, Unicode Confusables, and Triage Stories
Ryan Barnett, Principal Researcher at Akamai, brings his web application security expertise to the table. He discusses the intricacies of Web Application Firewalls (WAFs), including their dual role in vulnerability prevention. The conversation delves into Unicode vulnerabilities, particularly the challenges of encoding, and real-world examples like the NIMDA worm. Ryan also shares insights on the importance of collaboration between bug bounty hunters and web security platforms, enhancing the discourse around ethical hacking's evolving landscape.

12 snips
Aug 4, 2025 • 1h 54min
Episode 134: XBOW - AI Hacking Agent and Human in the Loop with Diego Djurado
Diego Djurado, a security researcher at Expo and HackerOne ambassador from Spain, dives into the fascinating world of AI hacking agents like XBOW. He shares insights into its architecture and the challenges posed by AI hallucinations. Diego reflects on his bug bounty journey, including competitive experiences at the Ambassador World Cup, while discussing the balance between human expertise and AI in vulnerability testing. Concepts like chaining vulnerabilities and the ethics of AI in security assessments make this a thought-provoking conversation.

15 snips
Jul 31, 2025 • 1h 16min
Episode 133: Building Hacker Communities - Bug Bounty Village, getDisclosed, and the LHE Squad
Harley Infinite Logins, Community Manager at HackerOne and spearhead of Bug Bounty Village at DEF CON, joins the conversation. They dive into the thrill of live hacking events, highlighting community collaboration and vulnerability discovery. Harley shares transformative experiences from curious hacker to community leader, emphasizing the importance of knowledge sharing. Listeners get an exciting preview of innovative features and interactive challenges planned for the Bug Bounty Village, alongside intriguing discussions on hacking education and tools.