

Critical Thinking - Bug Bounty Podcast
Justin Gardner (Rhynorater) & Joseph Thacker (Rez0)
A "by Hackers for Hackers" podcast focused on technical content ranging from bug bounty tips, to write-up explanations, to the latest hacking techniques.
Episodes
Mentioned books

Oct 23, 2025 • 28min
Episode 145: Gr3pme's Secret: Bug Bounty Note Taking Methodology
Dive into innovative note-taking strategies that can elevate your bug bounty game! Learn how structured notes can boost collaboration and long-term success. Explore threat modeling techniques and essential attack vectors to watch for. Brandyn shares a Notion template and practical tips for monitoring JavaScript artifacts and other high-signal indicators. Plus, discover the benefits of turning past reports into valuable insights. Unlock the secrets to effective teamwork and streamlined investigations!

Oct 16, 2025 • 53min
Episode 144: Google’s Top AI Hackers: Busfactor and Monke
In this discussion, Vitor Falcão, a full-time bug bounty hunter known for his client-side exploits, and Ciarán Cotter, a seasoned researcher focused on AI vulnerabilities, dive into their recent successes at the Mexico Live Hacking event. They share insights on transitioning from front-end to AI targets, strategies for submitting bugs, and the challenges faced in full-time hacking careers. Vitor highlights the balance needed to avoid isolation in the industry, while both explore the complexities of exploiting AI-related vulnerabilities.

Oct 9, 2025 • 1h 4min
Episode 143: New Cohost + Client-Side Gadgets, LHE Meta — Instant Global Admin in Entra!
A new co-host joins the discussion as they dive into the excitement of live hacking events and the strategic dynamics of report writing. Recent news highlights YesWeHack's major EU contract win. The hosts tackle tackling deep pentesting scopes and the advantages of non-chained gadgets. They explore the intricacies of exploiting backend implementations and share clever techniques like client-side attribute smuggling. Insights on the Entra actor token flaw reveal critical vulnerabilities, while practical discussion on tools like Flareprox enhances the technical insights.

Oct 2, 2025 • 55min
Episode 142: Gr3pme's Full-Time Hunting Journey Update, Insane AI research, And Some Light News
Brandon, known as gr3pme, is an accomplished bug bounty hunter and AI security researcher who recently transitioned to full-time work and founded Murtasec. He shares insights on what going full-time means for his career and the unexpected opportunities it has presented. The conversation covers web vulnerabilities, including a notable $111,750 payout for a path traversal to RCE. They also delve into AI security tools, discussing the accuracy challenges with existing hackbots, and introduce innovative concepts like CVE Genie and PROMISQROUTE.

Sep 25, 2025 • 1h 24min
Episode 141: Hacking the Pod - Google Docs 0-day & React CreateElement Exploits with Nick Copi (7urb0)
Nick Copi, known as 7urb0, is a security researcher who specializes in client-side web hacking. He delves into an inefficient regex that crashed Google Docs and explores triggering modals in the application. Nick shares insights on React createElement exploitation, revealing how XSS can persist in Electron clients. He also discusses exploiting CSS injection vulnerabilities with FontLeak techniques. Throughout, he emphasizes the importance of community collaboration in advancing research and sharing effective hacking strategies.

Sep 18, 2025 • 58min
Episode 140: Crit Research Lab Update & Client-Side Tricks Galore
Discover the latest from the Crit Research Lab as experts unpack postMessage vulnerabilities and the intricacies of Cookie Chaos. Dive into the nuances of cross-origin request forgery, and learn about the latest AI-driven business logic bugs. The hosts share valuable insights for beginners in live hacking, covering everything from teamwork strategies to solo approaches at events. Plus, hear community stories that highlight innovative exploits and practical hunting techniques for effective web security.

41 snips
Sep 11, 2025 • 2h 22min
Episode 139: James Kettle - Pwning in Prod & How to do Web Security Research
James Kettle, Head of Research at PortSwigger and expert in web security, shares insights on critical vulnerabilities and innovations in the field. He discusses the complexities of HTTP, expressing why he believes HTTP/1.1 should be phased out. Kettle explores strategies to prevent burnout in research, emphasizing the balance between autonomy and team dynamics. The conversation also highlights the evolving role of AI in web security and the importance of clear objectives for effective vulnerability research.

Sep 4, 2025 • 23min
Episode 138: Caido Tools and Workflows
Discover innovative bug bounty tools and workflows, focusing on the intriguing new features of Caido. Learn about an exciting AI red teaming CTF from Hack the Box that pushes the boundaries of security challenges. A compelling case study reveals how optimized workflows can enhance user efficiency in finding vulnerabilities. Justin shares his favorite tools and methods, providing insights that every aspiring hacker will appreciate.

13 snips
Aug 28, 2025 • 49min
Episode 137: How We Do AI-Assisted Whitebox Review, New CSPT Gadgets, and Tools from SLCyber
Dive into the fascinating world of AI-assisted code reviews, where tools like Gemini enhance workflow and bolster security. The discussion reveals lucrative bounties in AI safety research, spotlighting companies like Anthropic and OpenAI. Discover innovative cybersecurity tools such as ch.at and Slice, designed to streamline bug bounty hunting. There's even a look at clever tactics like cache deception and WAF bypassing techniques, making this a must-listen for anyone in the hacking community!

Aug 21, 2025 • 51min
Episode 136: Hacking Cluely, AI Prod Sec, and How To Not Get Sued with Jack Cable
Jack Cable, founder of Corridor.dev and a former government cybersecurity expert, shares his insights on a significant bug in Cluely’s desktop application and the challenges of cybersecurity legislation. He explores the intersection of AI and application security, highlighting vulnerabilities and the potential of AI tools in software development. The conversation also delves into the legal risks facing ethical hackers, emphasizing the importance of obtaining permission and navigating complex laws like the Computer Fraud and Abuse Act. Jack's experiences illuminate both the opportunities and hurdles in the cybersecurity landscape.


