I've made $30,000 from ONE bug class on a single program: broken access control. Not by spamming lows by chaining them. New vid: 5 BAC bugs → 1 full account takeover, live. And I built a free lab on @HackingHub so you can follow along. youtu.be/6v3B3FxDHbo

I've made $30,000 from ONE bug class on a single program: broken access control. Not by spamming lows by chaining them. New vid: 5 BAC bugs → 1 full account takeover, live. And I built a free lab on @HackingHub so you can follow along. youtu.be/6v3B3FxDHbo

This Hacker Made $7,000 Hacking AI With One Email youtu.be/3oARlXLiySw

This Hacker Made $7,000 Hacking AI With One Email youtu.be/3oARlXLiySw

This Hacker Made $7,000 Hacking AI With One Email youtu.be/3oARlXLiySw

If you haven't watched ep. 162 yet, we talked with @senorarroz from @Hacker0x01 and here are the most important questions and answers: 1. Are they training AI models on researcher reports? (8:50) No. The part of their ToS that mentions AI training was written a long time ago, back when "AI" just meant basic spam filters not the LLMs we have today. They are not using bug bounty reports to train or improve any large language model. They admitted they should have updated the ToS language sooner to make this clear, and they are working on it. 2. What about the new agentic pentest platform, where is its "exploit intelligence" coming from? (29:25) Not from bug bounty reports. The platform was trained using public benchmarks, internal test apps they built themselves, public CVEs, and pentest sessions where both the pentester and the client agreed to share the data. The only indirect overlap with bug bounty is that some CVEs originally came from BB submissions, but that's it. 3. Do researchers actually own their reports? (18:45) Yes. According to Section 8 of H1's community terms, you keep the intellectual property. You give H1 a limited license to run the platform, and the customer a slightly broader license to fix their own vulnerabilities. The real risk of your techniques leaking is on the customer side, through CVE advisories, internal security teams, or threat intel sharing. That's where things tend to get out. 4. Why did they cut bounties? (41:59) They changed how they benchmark their own program. Before, they were comparing themselves to Google, Meta, and Amazon. Now they're comparing to "high-growth tech companies" and targeting the 80th percentile instead of the top 1%. The biggest cuts were on lows and mediums, but highs dropped from $12,500 to $7,000 and crits from $25,000 to $15,000. They said they're watching engagement closely and will adjust if needed. Justin pushed back hard on this, cutting high and crit payouts sends a bad signal to the whole industry, not just H1's own program. They said they're going to take a second look at it. 5. If you think your techniques were leaked or fed into an AI, how do you report it? (21:28) Use the mediation button on the specific report. For something more serious, email their legal or privacy team directly. They also said they're setting up a dedicated tip line for exactly this kind of concern, it's not live yet but it's on their list. --- One last thing. Everything you just read came from a live, unscripted interview. No questions were shared in advance, nothing was edited after, Alex answered on the record. Watch the full interview: youtu.be/Pa4wWv_ONjM