Last week, a security researcher using our previous model found and disclosed a vulnerability in React that could lead to source code exposure. I believe these models will be a net win for cybersecurity, but we are in the 'real impact phase' as they improve.

Hack faster, write smarter. Hai for Hackers is live on HackerOne. Secure built‑in AI to help you write cleaner and faster reports. Fewer language gaps: less back‑and‑forth. Privacy‑first: data stays on HackerOne. Learn more: docs.hackerone.com/en/articl…

Hai is leveling up. ⚡ What started as an AI copilot is now a coordinated team of AI agents built to strengthen every layer of your security workflow. Meet the Hai Agentic AI System. bit.ly/3KLcdst

AI is moving security into new territory. 210% more valid AI vulnerabilities. Attackers are combining human creativity with AI speed. Pressure test your AI with external researchers and agentic offsec testing. @Hacker0x01 bit.ly/4gQxyfV

Trend I'm following: evals becoming a must-have skill for product builders and AI companies. It's the first new hard skill in a long time that PMs/engineers/founders have had to learn to be successful. The last one was maybe SQL, and Excel? A few examples: @garrytan: "Evals are emerging as the real moat for AI startups." @kevinweil: "Writing evals is going to become a core skill for product managers." @mikeyk: "Writing evals is probably the most important thing right now." @saranormous: "Evals = your new marketing." @gdb: "Evals are surprisingly often all you need." More to come.

Product management for AI agents is easily the wildest form of product management in history. Typical product management is trying to figure out how to design interfaces and software for people to interact with deterministic systems. The user generally knows all the context to do their work successfully, so it’s generally a matter of nailing the underlying business logic and surrounding UX. But with AI agents, the user you care about most is the agent, and they don’t know anything by default. They’ll happily run in any direction to perform the task, often without success. So as a PM (or engineer) you basically spend your time trying to reverse engineer “what would a human need as context to perform this task”, and then figure out how to design systems to get the agent that data in the right sequence, with the right tools, and instructions. Some of these systems are entire invisible to the human user, but part of the craft is equally how the end-user will interact with the agent to supply this context. Then, it’s often unending trial and error working to eke out incremental points of quality at each stage. This is especially why people with deep domain expertise, or those that can acquire it quickly, will do extremely well building AI agents. The ability to anticipate the context that the agent would need to be successful is a huge determining factor in how effective the agent will be. This partly explains why coding agents have worked so well out of the gate; because its builders deeply understand the domain that they’re working to automate. But clearly we’re going to quickly see this same outcome across every field - legal, healthcare, finance, etc. - as context engineering and a new crop of product managers emerge.

hey @Zoom #BugBounty researchers! New Campaign starting next Monday focused on Zoom Hub (support.zoom.com/hc/en/artic…). 1.25x Bounties! Get Hacking!

The HackerOne Leaderboard is evolving. Today, we’re introducing a new profile type filter with two views: 👤 Individuals (default) 🏢 Collectives It’s a step toward a more transparent, inclusive leaderboard—one built for what’s next. bit.ly/4olDlNR

🔁 RT if you think 🇳🇱 @ThymenArensman is the Super-combative of the #TDF2025! 🔁 RT si vous pensez que 🇳🇱 Thymen Arensman est le Super-combatif du #TDF2025 !

Secure AI by Design at @Hacker0x01: hackerone.com/blog/secure-ai…

The new @Hacker0x01 AI security agent (HAI) is actually very cool. It suggests improvements when writing reports, helps rate reports using CVSS scores, and even gives feedback on how you could have written the report better. It also suggests potential attack chains, similar vulnerability scenarios, and escalation ideas to strengthen your findings. 🔥 #BugBounty #hackerone

Hey hackers! We're running a beta for Hai for Hackers, our AI security agent. If you're interested, please reply with your HackerOne username (we will probably limit to ~100 hackers for now). After it's been enabled, you can start using it by clicking the Hai button in the top right corner of the app. It’s free to use (with a limited daily budget for now). It is like any other AI you’ve interacted with, with the added benefit that it has access to a whole bunch of HackerOne data, like reports and programs. We’re shipping improvements to Hai almost every day. Here are some neat use cases: - “take all the learnings from STÖK, jhaddix, and nahamsec's recon strategy and build one for me!” - “write a python script for a typical recon process” - “i need an XSS payload that doesn’t use single or double quotes” - “my XXE payload doesn't call back to my server, what could go wrong?” - “write a response for report #133337” The beta also comes with Hai Plays for you, which allows you to build your own security agents in HackerOne. You can create them at hackerone.com/settings/hai_p…. Some of the cool use cases we’ve seen so far are: - write reports with minimal input from you (efficiency !) - convert reports into blogposts with a single prompt - AI mentor to give feedback about your communication and increase the likelihood of a reward In the background we’ve been working on agentic behavior, which we expect will soon come to Hai for Hackers as well. These AI agents can act like your hacking buddy and hack alongside you. We’ll keep you in the loop on our progress.

🚨 You know generative AI is powerful—but it’s not without risk. Join @Hacker0x01, @AWS, and @AnthropicAI for a chat about deploying AI *confidently*—and best practices for reducing AI application risk. Our expert speakers will cover: - The biggest security risks in GenAI apps—like prompt injection, hallucinations & data leakage - Why third-party evaluations are critical - How to build AI-specific testing into your development lifecycle - Where AI security is headed next 🔗 Sign up here: bit.ly/4jJmjqx #GenAI #AIsecurity #Cybersecurity #AppSec #AWS #HackerOne #Anthropic

Wil je weten wanneer er witte rook verschijnt en een nieuwe paus is gekozen? Volg het live via iseralwitterook.com #Conclaaf #WitteRook

RT @bgurley: Watching MCP gain momentum reminds me of early API adoption—huge potential but massive risk if you’re not careful. @Hacker0x…

Congrats to @WHOOP on launching their bug bounty program: hackerone.com/whoop_bug_boun… #togetherwehitharder

Be incredibly ambitious, demand everything, subtract anything that doesn’t matter, put the ICs in charge, remove non-contributors, keep teams small. Then be willing to work harder than everyone else, know and care about all details, be decisive, hear everyone but be uncompromising once conviction is there. And figure out how to make all this fun enough to do an entire career. You asked 🫣

🚀 Excited to share the evolution of Hai, HackerOne’s intelligent copilot! Our new Program Insights feature transforms vulnerability management with actionable insights and a sleek UX. 👉 Learn more: hackerone.com/ai/hai-program…

My favorite browser @arcinternet from @browsercompany launching a BBP on HackerOne!

The 8th annual Hacker-Powered Security Report is here! 📊 Get insights from top security researchers about how they approach GenAI threats, and more.. 👉 Download the report today! bit.ly/3YTmhEu