Critical Thinking - Bug Bounty Podcast cover art

Critical Thinking - Bug Bounty Podcast

Critical Thinking - Bug Bounty Podcast

Written by: Justin Gardner (Rhynorater) Joseph Thacker (Rez0) & Brandyn Murtagh (gr3pme)
Listen for free

About this listen

A "by Hackers for Hackers" podcast focused on technical content ranging from bug bounty tips, to write-up explanations, to the latest hacking techniques.

Critical Thinking Podcast
Episodes
  • Episode 163: Best Technical Takeaways from Portswigger Top 10 2025

    Episode 163: Best Technical Takeaways from Portswigger Top 10 2025
    Feb 26 2026
    Episode 163: In this episode of Critical Thinking - Bug Bounty Podcast It’s that time of year again! We’re looking at the Portswigger Research list of top 10 web hacking techniques of 2025.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynoraterhttps://x.com/rez0__https://x.com/gr3pmeCritical Research Lab:https://lab.ctbb.show/ ====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!====== Resources ======Parser Differentials: When Interpretation Becomes a Vulnerabilityhttps://www.youtube.com/watch?v=Dq_KVLXzxH8XSS-Leak: Leaking Cross-Origin Redirectshttps://blog.babelo.xyz/posts/cross-site-subdomain-leak/Playing with HTTP/2 CONNECThttps://blog.flomb.net/posts/http2connect/Next.js, cache, and chains: the stale elixirhttps://zhero-web-sec.github.io/research-and-things/nextjs-cache-and-chains-the-stale-elixirSOAPwn: Pwning .NET Framework Apps Through HTTP Client Proxies And WSDLhttps://watchtowr.com/wp-content/uploads/SOAPwnwatchtowr_soappwn-research-whitepaper_10-12-2025.pdfCross-Site ETag Length Leakhttps://blog.arkark.dev/2025/12/26/etag-length-leakLost in Translation: Exploiting Unicode Normalizationhttps://www.youtube.com/watch?v=ETB2w-f3pM4ORM Leaking More Than You Joined Forhttps://www.elttam.com/blog/leaking-more-than-you-joined-for/Novel SSRF Technique Involving HTTP Redirect Loopshttps://slcyber.io/research-center/novel-ssrf-technique-involving-http-redirect-loops/Successful Errors: New Code Injection and SSTI Techniqueshttps://github.com/vladko312/Research_Successful_Errors====== Timestamps ======(00:00:00) Introduction(00:02:33) Parser Differentials: When Interpretation Becomes a Vulnerability(00:11:02) XSS-Leak: Leaking Cross-Origin Redirects(00:18:25) Playing with HTTP/2 CONNECT(00:22:10) Next.js, cache, and chains: the stale elixir(00:29:15) SOAPwn: Pwning .NET Framework Apps Through HTTP Client Proxies And WSDL(00:34:27) Cross-Site ETag Length Leak(00:41:47) Lost in Translation: Exploiting Unicode Normalization(00:47:27) ORM Leaking More Than You Joined For(00:54:07) Novel SSRF Technique Involving HTTP Redirect Loops(00:58:40) Successful Errors: New Code Injection and SSTI Techniques
    Show More Show Less
    1 hr and 8 mins
  • Episode 162: HackerOne Training AI on Bug Bounty Data?

    Episode 162: HackerOne Training AI on Bug Bounty Data?
    Feb 19 2026
    Episode 162: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joseph sit down with HackerOne Founder & CTO Alex Rice to discuss concerns of Using Hacker Data for AI and decreasing bounties.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynoraterhttps://x.com/rez0__https://x.com/gr3pmeCritical Research Lab:https://lab.ctbb.show/ ====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26https://ztw.com/Today’s Guest: https://x.com/senorarroz====== This Week in Bug Bounty ======XML external entity: The ultimate Bug Bounty guide to exploiting XXE vulnerabilitieshttps://www.yeswehack.com/learn-bug-bounty/xml-external-entity-guide-xxe?utm_source=Critical_Thinking&utm_medium=Youtube&utm_campaign=XXE_Critical_Thinking&utm_id=XXE_CTBug Bounty Maturity Frameworkhttps://bugbountymaturity.com/====== Resources ======Confidential Information and Confidentiality Obligationshttps://www.hackerone.com/terms/general#:~:text=HackerOne%20may%20use%20Confidential%20Information%20to%20develop%20and/or%20improve%20its%20Services%20(for%20example%2C%20to%20identify%20trends%2C%20and%20to%20train%20AI%20models)%20provided%20such%20use%20does%20not%20result%20in%20disclosure%20of%20Confidential%20Information%20to%20unauthorized%20third%20partiesOwnership and Licenseshttps://www.hackerone.com/terms/community#:~:text=8.%20Ownership%20and%20LicensesI argued with an AI regarding HackerOne using Hacker reports to train PtaaShttps://bugbounty.forum/post/183ff0fc-eb9e-47f8-991d-c0aa5b0bba71HackerOne PTaaS (likely training their AI on private reports data)https://www.reddit.com/r/bugbounty/comments/1r5hixk/hackerone_ptaas_likely_training_their_ai_on/What Makes Agentic PTaaS Different in Real Environmentshttps://www.hackerone.com/blog/agentic-penetration-testing-as-a-service#:~:text=Our%20agents%20are,real%20enterprise%20constraints====== Timestamps ======(00:00:00) Introduction(00:08:44) HackerOne AI Terms of Service (00:24:56) Agentic PTaaS(00:38:09) Selling data(00:43:49) Decrease in Bounties
    Show More Show Less
    53 mins
  • Episode 161: Cross-Consumer Attacks & DTMF Tone Exfil

    Episode 161: Cross-Consumer Attacks & DTMF Tone Exfil
    Feb 12 2026

    Episode 161: In this episode of Critical Thinking - Bug Bounty Podcast Justin Gives us some quick hits regarding CSRF and Cross Consumer Attacks, and also touches on some breaking questions surrounding HackerOne


    Follow us on twitter at: https://x.com/ctbbpodcast

    Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

    Shoutout to YTCracker for the awesome intro music!



    ====== Links ======

    Follow your hosts Rhynorater, rez0 and gr3pme on X:

    https://x.com/Rhynorater

    https://x.com/rez0__

    https://x.com/gr3pme


    Critical Research Lab:

    https://lab.ctbb.show/


    ====== Ways to Support CTBBPodcast ======

    Hop on the CTBB Discord at https://ctbb.show/discord!


    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.


    You can also find some hacker swag at https://ctbb.show/merch!


    Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26

    https://ztw.com/


    ====== This Week in Bug Bounty ======


    AS Watson

    https://app.intigriti.com/programs/aswatson/watsons/detail


    YesWeHack 2026 Report

    https://choose.yeswehack.com/bug-bounty-report-2026-trends-and-key-insights-yeswehack?utm_source=youtube&utm_medium=sponsor-critical-thinking&utm_campaign=yeswehack-report-2026


    ====== Resources ======


    PhoneLeak: Data Exfiltration in Gemini via Phone Call

    https://blog.starstrike.ai/posts/phoneleak-data-exfiltration-in-gemini-via-phone-call/


    Max's Tweet about decreasing bounties

    https://x.com/0xw2w/status/2020788164378427483


    HackerOne General Terms and Conditions

    https://www.hackerone.com/terms/general


    Research Review #-2: RCE in Google's AI code editor Antigravity (sudi)

    https://www.youtube.com/watch?v=JqvJSF2UMyY


    ====== Timestamps ======

    (00:00:00) Introduction

    (00:03:26) YesWeHack 2026 Report

    (00:09:12) CSRF Realizations & Data Exfiltration in Gemini via Phone Call

    (00:14:38) 7urb0's Youtube, HackerOne decreasing bounties and Section 3.1 controversy.

    (00:19:06) Cross Consumer Attacks
    Show More Show Less
    25 mins
No reviews yet