s1r1us (mohan)
@S1r1u5_
Followers
11K
Following
8K
Media
419
Statuses
4K
aham nityaṃ śiṣyaḥ, jagat mama guruḥ. {~hacker~} {founder @ElectrovoltSec, @HacktronAI}
Somewhere finding bugs
Joined July 2015
A case study of AI-accelerated hacking: How we at @HacktronAI hacked our way into Lovable's office, cut attack time from weeks to days, and helped secure Supabase from one of the most complex vulnerability chains we’ve ever worked through.
14
42
244
How much are we getting? We sent 5 reports
We want to thank the hackerone community for an incredible collaboration over the weekend. They discovered a total of 15 unique issues, leading to an expected payout of $750K. Our eng team has hardened the WAF as issues were discovered, and the last "flag capture" was 20 hours
3
0
37
BRuh!!!!!!!
We want to thank the hackerone community for an incredible collaboration over the weekend. They discovered a total of 15 unique issues, leading to an expected payout of $750K. Our eng team has hardened the WAF as issues were discovered, and the last "flag capture" was 20 hours
1
0
23
Is there any opensource alternatives for something like Harmonic's Aristotle and Axiom Math?
1
0
4
https://t.co/yyb0rhxSwE Tyler Cowen's "Work on these things" from 2019 has a list of projects he wants to get funded that has enormous impact. One of them is the following, I guess that's solved now! > Summaries of the state of knowledge in different fields. As a general
marginalrevolution.com
Here are some projects I’d like to see funded, some through my own ventures, or others through alternative mechanisms. On these issues, the right person could have an enormous impact, whether through...
0
0
5
Vercel Firewall has blocked: ▪️ ~6MM exploit attempts (all-time) ▪️ 2.3MM in the last 24h ▪️ 18K unique attacking IPs ▪️ 500+ exploit scanners Kudos to our CDN & Security teams working day & night to protect the internet from React2Shell attacks. Our WAF continues to get
51
44
823
how do i know? getting help by sliding into dms of whoever can help to solve the react2shell situation
1
0
1
i read like ~20 longform blogs from my bookmarks like a doomscrolling short-content monkey on an 8-hour flight to london. i’m not going to remember any idea from single one of them except for entertainment value
2
0
32
I think it's safe to assume Vercel WAF is stronger than before to protect against react2shell? I can see lot of pros being assembled here, apart from http parser differentials, did anyone bypass :constructor blocking?
5
4
96
This guy is relentless at work btw, I have never seen a CEO who is both technically strong and deeply involved with everyone to get the problem solved.
13
23
733
It’s a hot season for prototype pollution, sharing epic research we did long ago. "A tale of making internet pollution free" - Exploiting Client-Side Prototype Pollution in the wild https://t.co/Ys1bhUIZzR
blog.s1r1us.ninja
Introduction
4
38
181
Wow, Kudos to Vercel for trying whatever they can do to stop this attack. A CTF challenge of parser differentials dropped. And with a huge bounty!! CTFers do your thing!
We introduced a dedicated HackerOne program for Vercel WAF bypasses for CVE-2025-55182 / react2shell Critical bypass: $50K https://t.co/90NnL06Vnx
3
5
99
Nice, this is a great idead
Vercel has stopped allowing new deployments of next.js applications vulnerable to CVE-2025-66478. If you have not upgraded, the time to do so is now. Exploits are in the wild and WAF rules are not sufficient indefinitely https://t.co/b7v2ICgJBG
0
0
13
anyone know about goodhart’s law, “hackerone top 1” and how they are related?
0
0
8
well put
Problem I see is people are confusing code reasoning with hacker intuition. To understand where LLMs fit in AppSec vuln research, firstly we need to categorize the cognitive load of vulnerabilities: 1. Pattern Matching Tracing user input for XSS, IDORs, Injections etc. If your
0
0
10
whoever is willing to sit on a complex piece of software for months will eventually be rewarded with something like react2shell. most companies aren’t “secure”, they’re just protected by under-resourced adversaries, not by good software. once in a while you see a sprinkle of
2
4
123
Almost all the Indigo flights got canceled due to some operational incompetence. I am having fun looking at meltdowns all around while working on react2shell.
0
0
6