BugBunny.ai - Vibehacking for Vibecoders
@BugBunny_ai
Followers
26
Following
31
Media
2
Statuses
58
AI‑powered, ethical pen‑testing. Real findings, validated PoCs. Built for hunters & vibecoders. Confirmed CVEs in Google (4x RCE), Python (RCE), Meta, ..
Joined September 2025
https://t.co/xKTkaUl5WX in the wild now. Think of it as your AI co-pilot slicing through pen testing grind. Real finds, real quick.
bugbunny.ai
The perfect helper for bug bounty hunters, security teams, and penetration testers to accelerate their work.
0
0
0
Everyone's arguing if AI can ship code. Meanwhile it's already finding vulns faster than your security team. RIP manual pentesting RIP CVE backlogs RIP "we'll patch it next sprint" Turns out vibe coding works better for breaking things than building them.
0
0
0
I'll have a special Christmas GoogeGift for ya..
0
0
0
Every Remix app using file sessions was vulnerable to complete takeover via one HTTP request until a few days ago
1
0
0
AI tools in security: - Master iterative prompting. finding RCEs in Google - Can't validate output. "AI doesn't work for real bugs" - Same tools, wildly different results The skill gap isn't technical anymore. It's knowing how to work with AI.
0
0
0
Built https://t.co/xKTkaUl5WX to be the ultimate bug bounty wingman. Vibehacking pro in your corner. Unlocking vulnerabilities before your coffee's cold.
bugbunny.ai
The perfect helper for bug bounty hunters, security teams, and penetration testers to accelerate their work.
0
0
0
The future of security research? "Vibe hackers" - people who know their shit AND know how to boss AI agents around like a distributed pen-testing team.
0
0
0
I just can't get over this. Account takeover on a 43k star GitHub project with 2 curl commands. That's it. Two basic API calls. I'm just staring at my terminal like, no way this actually worked. But there it is, full admin access to a project thousands of developers lean on.
0
0
1
Found through vibehacking on BB
0
0
0
Found a critical bug in Flowise (43k+ GitHub stars, just acquired by Workday). Every single user could be compromised with nothing but their email. The vulnerability was just sitting there, a simple parameter injection that ignored all their auth checks. Spent 3 hours thinking
1
0
0
"We use safe serialization practices" - Apache Fury documentation *immediately deserializes untrusted data with pickle* CVSS 9.8: "Am I a joke to you?" Narrator: It was not, in fact, safe. This is why we vibehack
1
0
0
Apache Fury developers: "We're security-first!" Apache Fury in production: *literally runs random code through pickle deserialization* That CVSS 9.8 score is just for decoration, right? Right? ...right?
1
0
0
Apache Fury: "Don't worry, we use safe serialization!" Also Apache Fury: *just quietly drops to pickle and runs whatever code you hand it* CVSS 9.8 waving from the corner 👋
2
0
1
Using @BugBunny_ai We found a way to take over any Flowise account. Bugbunny discovered this issue in less than 10 minutes by exploiting a simple flaw
3
12
22
90 million weekly downloads of React Router. All were vulnerable to stored XSS. Your app probably uses it.
1
0
1