Critical Thinking - Bug Bounty Podcast
Justin Gardner (Rhynorater) & Joel Margolis (teknogeek)
<p>A "by Hackers for Hackers" podcast focused on technical content ranging from bug bounty tips, to write-up explanations, to the latest hacking techniques.</p>
- 1 hour 35 minutesEpisode 168: XSSDoctor - Client-side Path Traversal Research
Episode 168: In this episode of Critical Thinking - Bug Bounty Podcast we’re getting a visit from the XSS Doctor. Jonathan joins us to go through his Client-side workflow, run labs, and diagnose some bugs live.
Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
Critical Research Lab:
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
You can also find some hacker swag at https://ctbb.show/merch!
Today’s Guest: https://x.com/xssdoctor
====== Resources ======
The Dot-Dot-Slash That Frameworks Hand You: CSPT Across Every Major Frontend Framework
https://lab.ctbb.show/research/the-dot-dot-slash-that-frameworks-hand-you
URL validation bypass cheat sheet
https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet
====== Timestamps ======
(00:00:00) Introduction
(00:01:37) Home Automation AI Hack & E-signature bug stories
(00:12:15) E-signature bug
(00:17:01) XSS DR Intro and Bug Bounty Journey
(00:31:51) CSPT Workflows
(01:07:57) Wildcard Path Parameters
(01:30:34) Custom Sinks
2 April 2026, 9:00 am - 51 minutes 40 secondsEpisode 167: Stealing Bugs with Valeriy Shevchenko
Episode 167: In this episode of Critical Thinking - Bug Bounty Podcast we welcome Valeriy Shevchenko to talk about program management, anchor programs, and Theft in Bug Bounty.
Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
Critical Research Lab:
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
You can also find some hacker swag at https://ctbb.show/merch!
Today's Sponsor: Check out ThreatLocker Ringfencing
https://www.criticalthinkingpodcast.io/tl-rf
Today’s Guest: https://x.com/Krevetk0Valeriy
====== This Week in Bug Bounty ======
HackerOne’s Bug Bounty Maturity Framework:
https://www.hackerone.com/blog/program-maturity-framework-bug-bounty-operations
Intigriti is hiring a Product Security Analyst
https://jobs.criticalthinkingpodcast.io/jobs/product-security-analyst-25ef4706
====== Resources ======
Valeriy’s Blog
====== Timestamps ======
(00:00:00) Introduction
(00:03:15) Valeriy's Bug story
(00:19:48) Anchor Programs and Bug Hunting Motivation
(00:29:50) Stealing Bugs
26 March 2026, 9:00 am - 53 minutes 2 secondsEpisode 166: Rez0’s Top Claude Skill Secrets
Episode 166: In this episode of Critical Thinking - Bug Bounty Podcast we talk about Rez0’s Claude Skill Secrets, when AI Generated reports fall apart, and agents vs filters.
Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
Critical Research Lab:
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
You can also find some hacker swag at https://ctbb.show/merch!
Today’s Sponsor: Adobe
====== This Week in Bug Bounty ======
Intigriti launched their ambassadors program. https://www.intigriti.com/ambassador
Adobe will be at Hack The Bay
Bug Bounty Maturity Framework
https://bugbountymaturity.com/
====== Resources ======
h1-brain
https://github.com/PatrikFehrenbach/h1-brain
caido skills
http://github.com/caido/skills
Tweet from Karpathy
https://x.com/karpathy/status/2031767720933634100?s=20
Find every inefficiency in your Claude workflow with one prompt
https://x.com/shannholmberg/status/2030605364421595468
====== Timestamps ======
(00:00:00) Introduction
(00:08:28) Claude skills
(00:30:00) How AI Generated reports fall apart
(00:38:44) Orchestration
(00:49:10) Agents vs Folders
19 March 2026, 9:00 am - 44 minutes 23 secondsEpisode 165: Protobuf Hacking, AI-Powered Bug Hunting, and Self-Improving Claude Workflows
Episode 165: In this episode of Critical Thinking - Bug Bounty Podcast Justin recaps his Zero Trust World experience, before we dive into Permissions issues client-side bugs, New Hardware Hacking Classes, and using AI to hack.
Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
Critical Research Lab:
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
You can also find some hacker swag at https://ctbb.show/merch!
Today's Sponsor: Check out ThreatLocker Ringfencing
https://www.criticalthinkingpodcast.io/tl-rf
====== Resources ======
bbscope Update
https://x.com/sw33tLie/status/2029344643154919720
Matt Brown's Youtube Channel
https://www.youtube.com/channel/UC3VDCeZYZH7mCihtMVHqppw
Matt's Twitter:
MCP server for HackerOne to search reports
https://x.com/OriginalSicksec/status/2029503063095124461?s=20
Caido Skills
https://github.com/caido/skills
The Agentic Hacking Era: Ramblings and a Tool
https://josephthacker.com/hacking/2026/03/06/the-agentic-hacking-era.html
Announcing AI-driven Caido
https://caido.io/blog/2026-03-06-caido-skill
====== Timestamps ======
(00:00:00) Introduction
(00:06:23) bbscope report dumping & Matt Brown Training
(00:13:10) MCP server for HackerOne to search reports & protobuff success
(00:24:24) Hacking Mics with Permissions issues client-side bugs
(00:27:26) Can AI Hack things?
12 March 2026, 9:00 am - 1 hour 11 minutesEpisode 164: Tommy DeVoss: From Black Hat to Bug Bounty LEGEND
Episode 164: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Tommy DeVoss to talk about his origin story, Yahoo bugs, and how Tommy first got Justin into Bug Bounty
Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
Critical Research Lab:
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
You can also find some hacker swag at https://ctbb.show/merch!
Today’s Guest: https://x.com/thedawgyg
====== This Week in Bug Bounty ======
Python pitfalls: Turning developer mistakes into vulnerabilities
====== Timestamps ======
(00:00:00) Introduction
(00:06:22) Yahoo SSRF
(00:14:56) Tommy's Origin
(00:44:10) Bug Bounty
(00:51:47) SSRF Attraction, AI implementation, & Browser Hacking
5 March 2026, 10:00 am - 1 hour 8 minutesEpisode 163: Best Technical Takeaways from Portswigger Top 10 2025
Episode 163: In this episode of Critical Thinking - Bug Bounty Podcast It’s that time of year again! We’re looking at the Portswigger Research list of top 10 web hacking techniques of 2025.
Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
Critical Research Lab:
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
You can also find some hacker swag at https://ctbb.show/merch!
====== Resources ======
Parser Differentials: When Interpretation Becomes a Vulnerability
https://www.youtube.com/watch?v=Dq_KVLXzxH8
XSS-Leak: Leaking Cross-Origin Redirects
https://blog.babelo.xyz/posts/cross-site-subdomain-leak/
Playing with HTTP/2 CONNECT
https://blog.flomb.net/posts/http2connect/
Next.js, cache, and chains: the stale elixir
https://zhero-web-sec.github.io/research-and-things/nextjs-cache-and-chains-the-stale-elixir
SOAPwn: Pwning .NET Framework Apps Through HTTP Client Proxies And WSDL
https://watchtowr.com/wp-content/uploads/SOAPwnwatchtowr_soappwn-research-whitepaper_10-12-2025.pdf
Cross-Site ETag Length Leak
https://blog.arkark.dev/2025/12/26/etag-length-leak
Lost in Translation: Exploiting Unicode Normalization
https://www.youtube.com/watch?v=ETB2w-f3pM4
ORM Leaking More Than You Joined For
https://www.elttam.com/blog/leaking-more-than-you-joined-for/
Novel SSRF Technique Involving HTTP Redirect Loops
https://slcyber.io/research-center/novel-ssrf-technique-involving-http-redirect-loops/
Successful Errors: New Code Injection and SSTI Techniques
https://github.com/vladko312/Research_Successful_Errors
====== Timestamps ======
(00:00:00) Introduction
(00:02:33) Parser Differentials: When Interpretation Becomes a Vulnerability
(00:11:02) XSS-Leak: Leaking Cross-Origin Redirects
(00:18:25) Playing with HTTP/2 CONNECT
(00:22:10) Next.js, cache, and chains: the stale elixir
(00:29:15) SOAPwn: Pwning .NET Framework Apps Through HTTP Client Proxies And WSDL
(00:34:27) Cross-Site ETag Length Leak
(00:41:47) Lost in Translation: Exploiting Unicode Normalization
(00:47:27) ORM Leaking More Than You Joined For
(00:54:07) Novel SSRF Technique Involving HTTP Redirect Loops
(00:58:40) Successful Errors: New Code Injection and SSTI Techniques
26 February 2026, 10:00 am - 53 minutes 22 secondsEpisode 162: HackerOne Training AI on Bug Bounty Data?
Episode 162: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joseph sit down with HackerOne Founder & CTO Alex Rice to discuss concerns of Using Hacker Data for AI and decreasing bounties.
Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
Critical Research Lab:
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
You can also find some hacker swag at https://ctbb.show/merch!
Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26
Today’s Guest: https://x.com/senorarroz
====== This Week in Bug Bounty ======
XML external entity: The ultimate Bug Bounty guide to exploiting XXE vulnerabilities
Bug Bounty Maturity Framework
https://bugbountymaturity.com/
====== Resources ======
Confidential Information and Confidentiality Obligations
Ownership and Licenses
https://www.hackerone.com/terms/community#:~:text=8.%20Ownership%20and%20Licenses
I argued with an AI regarding HackerOne using Hacker reports to train PtaaS
https://bugbounty.forum/post/183ff0fc-eb9e-47f8-991d-c0aa5b0bba71
HackerOne PTaaS (likely training their AI on private reports data)
https://www.reddit.com/r/bugbounty/comments/1r5hixk/hackerone_ptaas_likely_training_their_ai_on/
What Makes Agentic PTaaS Different in Real Environments
====== Timestamps ======
(00:00:00) Introduction
(00:08:44) HackerOne AI Terms of Service
(00:24:56) Agentic PTaaS
(00:38:09) Selling data
(00:43:49) Decrease in Bounties
19 February 2026, 10:00 am - 24 minutes 42 secondsEpisode 161: Cross-Consumer Attacks & DTMF Tone Exfil
Episode 161: In this episode of Critical Thinking - Bug Bounty Podcast Justin Gives us some quick hits regarding CSRF and Cross Consumer Attacks, and also touches on some breaking questions surrounding HackerOne
Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
Critical Research Lab:
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
You can also find some hacker swag at https://ctbb.show/merch!
Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26
====== This Week in Bug Bounty ======
AS Watson
https://app.intigriti.com/programs/aswatson/watsons/detail
YesWeHack 2026 Report
====== Resources ======
PhoneLeak: Data Exfiltration in Gemini via Phone Call
https://blog.starstrike.ai/posts/phoneleak-data-exfiltration-in-gemini-via-phone-call/
Max's Tweet about decreasing bounties
https://x.com/0xw2w/status/2020788164378427483
HackerOne General Terms and Conditions
https://www.hackerone.com/terms/general
Research Review #-2: RCE in Google's AI code editor Antigravity (sudi)
https://www.youtube.com/watch?v=JqvJSF2UMyY
====== Timestamps ======
(00:00:00) Introduction
(00:03:26) YesWeHack 2026 Report
(00:09:12) CSRF Realizations & Data Exfiltration in Gemini via Phone Call
(00:14:38) 7urb0's Youtube, HackerOne decreasing bounties and Section 3.1 controversy.
(00:19:06) Cross Consumer Attacks
12 February 2026, 10:00 am - 45 minutes 4 secondsEpisode 160: Cloudflare Zero-days & Mail Unsubscribing for XSS
Episode 160: In this episode of Critical Thinking - Bug Bounty Podcast Joseph and Brandyn. Chat through some news, Including a Cloudflare Zero-day, Turning List-Unsubscribe into an SSRF/XSS Gadget, & Magic String Denial of Service in Claude.
Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
Critical Research Lab:
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
You can also find some hacker swag at https://ctbb.show/merch!
Today’s Sponsor: Adobe.
Use code CTBB040126, and get a 10% bonus on your bounty for any AI vulnerability which is mapped to the OWASP LLM top 10.
Valid on Adobe Acrobat Web - AI Assistant / PDF Spaces / Content Creation and presentation features using Express
Adobe Express AI Assistant.
Valid through April 1st, 2026
Also we have a Google Cloud VRP Swag Bonus! Mention the podcast in any rewarded (cash or credit) VRP report submission before the end of April to receive bonus swag!
====== Resources ======
Cloudflare Zero-day
https://fearsoff.org/research/cloudflare-acme
Turning List-Unsubscribe into an SSRF/XSS Gadget
https://security.lauritz-holtmann.de/post/xss-ssrf-list-unsubscribe/
Breaking Multi-Tenant Isolation in Heroku Postgres
https://allistair.sh/blog/breaking-heroku-postgres/
Parse and Parse: MIME Validation Bypass to XSS via Parser Differential
https://lab.ctbb.show/research/parse-and-parse-mime-validation-bypass-to-xss-via-parser-differential
Claude Magic String Denial of Service
https://x.com/Frichette_n/status/2013988503336415522
From WebView to Remote Code Injection
https://djini.ai/from-webview-to-remote-code-injection/
DOM XSS Is Not Dead: The Rise of Polyglot Payloads
https://blogs.jsmon.sh/dom-xss-is-not-dead-the-rise-of-polyglot-payloads/
====== Timestamps ======
(00:00:00) Introduction
(00:06:17) Cloudflare Zero-day & Turning List-Unsubscribe into an SSRF/XSS Gadget
(00:16:57) Breaking Multi-Tenant Isolation in Heroku Postgres & CTBB Research
(00:25:46) Claude Magic String Denial of Service & From WebView to Remote Code Injection
5 February 2026, 10:00 am - 1 hour 46 minutesEpisode 159: Avoiding Downgrades on Google Cloud VRP with Cote and Darby Hopkins
Episode 159: In this episode of Critical Thinking - Bug Bounty Podcast we sit down with the Google Cloud VRP Team to deep-dive policy and reward changes, what the panel process looks like, and how to best configure for success.
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Get some hacker swag
Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26
Google Cloud VRP Swag Bonus! Mention the podcast in any rewarded (cash or credit) VRP report submission before the end of April to receive bonus swag!
Today’s Guests:
====== This Week in Bug Bounty ======
AI Red Teaming Explained by AI Red Teamers
Good Faith AI Research Safe Harbor
Join the Adobe LHE at NULLCON GOA
====== Resources ======
‘Legendary Guy’ - Jakub Domeracki
Google Cloud VRP rewards rules
Google Cloud VRP product tiers
Bug Hunters blog on the 2025 Google Cloud VRP bugSWAT
====== Timestamps ======
(00:00:00) Introduction
(00:10:03) CloudVRP Bugswat Event Breakdown
(00:16:40) VRP Policy & Rewards Changes
(00:04:50) Panel Process
(01:00:08) Configuring for Success & Avoiding Downgrades
(01:33:47) Scenarios for Success
29 January 2026, 10:00 am - 58 minutes 30 secondsEpisode 158: 10hr Marathon Hack-Along Recap + $300k Client-side Bugs
Episode 158: In this episode of Critical Thinking - Bug Bounty Podcast we talk about our personal takeaways from the CTBB Charity Hackalong, and then break down some InsertScript POCs, what a $55,000 bug can look like, and if Smart People Ever Say They’re Smart.
Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
Critical Research Lab:
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
You can also find some hacker swag at https://ctbb.show/merch!
Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26
https://ztw.com/
====== Resources ======
InsertScript - XSS Challenge Solution
https://insert-script.blogspot.com/2020/03/xss-challenge-solution-refresh-header.html
InsertScript - Redirect AuthHeader
https://www.insert-script.com/examples/redirectAuthHeader/send.html
CRLF injection on a 302 redirect
https://x.com/0xdef1ant/status/2009040359482118500
Multiple XSS in Meta Conversion API Gateway Leading to Zero-Click Account Takeover
https://ysamm.com/uncategorized/2025/01/13/capig-xss.html
Arcanum Hack Tips
https://github.com/Arcanum-Sec/hack_tips
Trail of Bits Releases Claude Skills
https://x.com/dguido/status/2011541318229533063
what a $55,000 bug can look like
https://x.com/the_IDORminator/status/2007480636244697237
Pwning Claude Code in 8 Different Ways
https://flatt.tech/research/posts/pwning-claude-code-in-8-different-ways/
Do Smart People Ever Say They’re Smart?
https://labs.watchtowr.com/do-smart-people-ever-say-theyre-smart-smartertools-smartermail-pre-auth-rce-cve-2025-52691/
====== Timestamps ======
(00:00:00) Introduction
(00:04:18) Technical takeaways from CT Charity Hackalong
(00:22:21) InsertScript POCs & Rez0 and teknogeek's IOT Adventures
(00:32:16) CRLF injection on a 302 redirect & Multiple XSS in Meta
(00:41:00) Trail of Bits, what a $55,000 bug can look like, & Pwning Claude Code
(00:54:16) Do Smart People Ever Say They’re Smart?
22 January 2026, 10:00 am - More Episodes? Get the App