I have inner peace. Nothing is as someone said.

Hard to digest. It feels bad knowing there won’t be that same passionate feeling anymore, the one that shaped us into who we are. You touched every SR soul, changed lives, and now you’re leaving. Farewell, my friend. Farewell

Auditing Canton feels like you're trying to probe water sample through a wild river. Nothing is constant. I feel like I'm about to reveal a zero day vuln

Also The Prodigy

The world would be far different -far different- if only Merkle Bonsai were attending only Web3Sec.

They closed MTV. Money for Nothing by Dire Straits is obsolete now.

Sometimes I think I’m one of the luckiest people on the planet for attending an Iggy Pop concert from the front row.

Auditing Canton / DAML feels like moving from find the broken math to find the broken authority model. And hey, is that contract archieved?

Seize the day

Here is our new apocalypse monitoring site: josephkearney.co.uk/bitcoin-…

Cancelling my OpenAI subscription. Thank you Antrophic

A must read!! Your brain fog will disperse instantly

Since this rant is a roller-coaster of topics, I will divide it into four sections. 1-) How do the best bug bounty hunters deal with problematic project teams? Spoiler: they are mortals like us and can't magically fix anything. I think that by listening/chatting with the best bug bounty hunters, I've understood their strategy: Just keep hunting. From the start, they choose the target mindfully. Hunt on bigger targets (in terms of TVL and bounty size, read this amazing article by @WhiteHatMage on this: whitehatmage.github.io/posts…) but even then they don't assume that the process will go smoothly, and they focus on finding new vulnerabilities on a different target while their existing reports are being (not) resolved. They try to create as many opportunities as possible so that some bad faith actors won't totally stall them. However, this doesn't mean they don't care about unresolved reports. On the contrary, they behave very professionally in messaging channels and do not let go of a project that tries to avoid paying. This is their full-time job, and they want to get paid. 2-) Why this sucks? Unfortunately, the above situation shows how inclined we are to create more black-hats than white-hats, because there are only two scenarios that can create the incredible level of devotion I mentioned above: * You received one large payout, and because of that, no matter how many bad experiences you have, your belief that another large payout will come never fades. * You have an incredibly strong attraction to feeling like a hero and doing what is ethically right. Note: Many people do bug hunting *occasionally* (like myself), and the situation is completely different for that case. These two scenarios are related to creating devoted full-time bug bounty hunters. If we don't have established standards and legal enforcement (aka incentives), we will remain limited to creating only a ridiculously small number of consistent elite bug bounty hunters. We shouldn't wait for every project to get hacked in order for them to get incentivized to allocate more resources to security. 3-) Market actual security, not your newest product. Because products/services will change over time -- sometimes it will be AI, sometimes audit competitions -- but the need for security will never disappear. What we need to show project teams is not just which fancy tool to use to achieve security, but that they genuinely need a “security-first” mindset. Security is not achieved through a single best product, but rather by getting various services. Instead of only launching a large bug bounty or only paying for one expensive audit, distributing the budget across both of these will produce a much better outcome. It feels like, instead of sharing the pie wisely, we are allowing most of it to be captured by the newest trend. Nothing done with a “let's not miss the boat” mentality is truly innovation. There will be some successful products/services, but most of them will be forgotten, sunset, or be forced to evolve. 4-) Not all founders have been reading @RektHQ for years like we do Maybe you don't think much about it, but it is also important to realize that not all project teams have the same level of maturity. They just don't really think they need to allocate much to security. We need to teach some VCs that security is an actual thing and not a fucking marketing tool. You wouldn't believe how often I've heard bug bounty hunters say about major projects that “X project's codebase is terrible / is a mess.” Do you think the developers, founders, and VCs of those projects are even aware that this is the case?

I really envy the guy who created Claude Code. He has unlimited access to it, lol.

I have an attack vector where it drains your governance treasury. Works like a charm but I don't want to be the scape goat for revealing it.

Funny to complain that there is a coordinated pressure in governance structures. Why don't you complain when the pressure creators have your token then?? Here comes the oxymoron.

It might not be as widespread as the $3M bounty, but there has been a sick save recently.

DM for make no mistakes