Alex Chapman
@ajxchapman.bsky.social
I'm sympathetic to corporate policy "patch gaps", but when it's framed as "acceptable exploitation window" it hits on a different level 🤔
November 5, 2025 at 6:08 PM
I'm sympathetic to corporate policy "patch gaps", but when it's framed as "acceptable exploitation window" it hits on a different level 🤔
Reposted by Alex Chapman
Dad’s books are full of empathy, common sense, and a healthy suspicion of the powerful. But at its heart his work is also about how systems keep people poor while pretending it’s their own fault. So I hope Kemi’s taking notes as well as reading the jokes.
Kemi Badenoch claiming Terry Pratchett as her favourite author is wild
October 7, 2025 at 12:46 PM
Dad’s books are full of empathy, common sense, and a healthy suspicion of the powerful. But at its heart his work is also about how systems keep people poor while pretending it’s their own fault. So I hope Kemi’s taking notes as well as reading the jokes.
Reposted by Alex Chapman
An in depth summary of the consequence of Google VRP increasing bounties in 2024.
"We observe statistically significant increases in the reporting
of high-value bugs, especially in the highest impact tiers and high merit submissions." 🔥
arxiv.org/abs/2509.16655
"We observe statistically significant increases in the reporting
of high-value bugs, especially in the highest impact tiers and high merit submissions." 🔥
arxiv.org/abs/2509.16655
Incentives and Outcomes in Bug Bounties
Bug bounty programs have contributed significantly to security in technology firms in the last decade, but little is known about the role of reward incentives in producing useful outcomes. We analyze ...
arxiv.org
September 28, 2025 at 3:14 PM
An in depth summary of the consequence of Google VRP increasing bounties in 2024.
"We observe statistically significant increases in the reporting
of high-value bugs, especially in the highest impact tiers and high merit submissions." 🔥
arxiv.org/abs/2509.16655
"We observe statistically significant increases in the reporting
of high-value bugs, especially in the highest impact tiers and high merit submissions." 🔥
arxiv.org/abs/2509.16655
An in depth summary of the consequence of Google VRP increasing bounties in 2024.
"We observe statistically significant increases in the reporting
of high-value bugs, especially in the highest impact tiers and high merit submissions." 🔥
arxiv.org/abs/2509.16655
"We observe statistically significant increases in the reporting
of high-value bugs, especially in the highest impact tiers and high merit submissions." 🔥
arxiv.org/abs/2509.16655
Incentives and Outcomes in Bug Bounties
Bug bounty programs have contributed significantly to security in technology firms in the last decade, but little is known about the role of reward incentives in producing useful outcomes. We analyze ...
arxiv.org
September 28, 2025 at 3:14 PM
An in depth summary of the consequence of Google VRP increasing bounties in 2024.
"We observe statistically significant increases in the reporting
of high-value bugs, especially in the highest impact tiers and high merit submissions." 🔥
arxiv.org/abs/2509.16655
"We observe statistically significant increases in the reporting
of high-value bugs, especially in the highest impact tiers and high merit submissions." 🔥
arxiv.org/abs/2509.16655
The new favourite fidget toy on my desk is the Zippo lighter I've had since I was a teenager. There is something about the noise of the cap flipping open and flint sparking. This has replaced the ever popular poker chips.
Needless to say, I am not a great example for my kids 😬
Needless to say, I am not a great example for my kids 😬
September 18, 2025 at 8:05 AM
The new favourite fidget toy on my desk is the Zippo lighter I've had since I was a teenager. There is something about the noise of the cap flipping open and flint sparking. This has replaced the ever popular poker chips.
Needless to say, I am not a great example for my kids 😬
Needless to say, I am not a great example for my kids 😬
Hackers tops the list of films that have influenced my life. Without seeing this film as a young teen I may not have misspent my youth in front of a computer trying to understand how it all worked. Which, despite what my parents suggested at the time, seems to have worked out well for me 😆
September 16, 2025 at 9:50 AM
Hackers tops the list of films that have influenced my life. Without seeing this film as a young teen I may not have misspent my youth in front of a computer trying to understand how it all worked. Which, despite what my parents suggested at the time, seems to have worked out well for me 😆
That feeling when you finally read that blog post you've had open in a browser tab for 3 months, and it's complete garbage 😑
September 12, 2025 at 8:54 AM
That feeling when you finally read that blog post you've had open in a browser tab for 3 months, and it's complete garbage 😑
It's been another year since my wife and I lost our first daughter Chloë. She would have been 7 today. With each passing year I can't help but think about what her life would have been like, what our life would have been like, had she been given a chance. I love her so much, but don't even know her.
August 24, 2025 at 10:04 PM
It's been another year since my wife and I lost our first daughter Chloë. She would have been 7 today. With each passing year I can't help but think about what her life would have been like, what our life would have been like, had she been given a chance. I love her so much, but don't even know her.
This jaw dropping write-up of an LLM solving a DEF CON CTF challenge(!) with minimal human interaction 🤯 It seems like "vibe-reversing" is becoming a viable option now...
All You Need Is MCP - LLMs Solving a DEF CON CTF Finals Challenge
DEF CON CTF Every year world-class teams play difficult CTFs such as Plaid CTF and HITCON CTF in an attempt to qualify for DEF CON CTF by getting first place. There are usually only 3-4 CTFs a year de...
wilgibbs.com
August 15, 2025 at 2:32 PM
This jaw dropping write-up of an LLM solving a DEF CON CTF challenge(!) with minimal human interaction 🤯 It seems like "vibe-reversing" is becoming a viable option now...
There is something quite depressing about many of the advertised agentic AI use cases being posting "viral" content to social media. It stinks of one person assuming their time is inherently worth more than everyone else.
August 8, 2025 at 3:36 PM
There is something quite depressing about many of the advertised agentic AI use cases being posting "viral" content to social media. It stinks of one person assuming their time is inherently worth more than everyone else.
I've said it before and I'll say it again, Windows 11 is _such_ a hostile user experience, it's like they've actively tried to make it unpleasant to use 😑
August 8, 2025 at 10:45 AM
I've said it before and I'll say it again, Windows 11 is _such_ a hostile user experience, it's like they've actively tried to make it unpleasant to use 😑
Reposted by Alex Chapman
Can Bluesky say every word in the dictionary?
I dunno but I plan to find out!
I made a website that tracks every single word said on bluesky (as of yesterday).
I dunno but I plan to find out!
I made a website that tracks every single word said on bluesky (as of yesterday).
August 6, 2025 at 3:51 PM
Can Bluesky say every word in the dictionary?
I dunno but I plan to find out!
I made a website that tracks every single word said on bluesky (as of yesterday).
I dunno but I plan to find out!
I made a website that tracks every single word said on bluesky (as of yesterday).
Reposted by Alex Chapman
The whitepaper is live! Learn how to win the HTTP desync endgame... and why HTTP/1.1 needs to die: http1mustdie.com
HTTP/1.1 Must Die
Upstream HTTP/1.1 is inherently insecure, and routinely exposes millions of websites to hostile takeover. Join the mission to kill HTTP/1.1 now
http1mustdie.com
August 6, 2025 at 11:43 PM
The whitepaper is live! Learn how to win the HTTP desync endgame... and why HTTP/1.1 needs to die: http1mustdie.com
Reposted by Alex Chapman
We released our Fuzzilli-based V8 Sandbox fuzzer: github.com/googleprojec...
It explores the heap to find interesting objects and corrupts them in a deterministic way using V8's memory corruption API. Happy fuzzing!
It explores the heap to find interesting objects and corrupts them in a deterministic way using V8's memory corruption API. Happy fuzzing!
Add V8SandboxFuzzer · googleprojectzero/fuzzilli@675eccd
This is a basic fuzzer for the V8 Sandbox. It uses the memory corruption
API to implement a random-but-deterministic (given a seed) traversal
through the V8 heap object graph and corrupts some obje...
github.com
August 1, 2025 at 7:21 AM
We released our Fuzzilli-based V8 Sandbox fuzzer: github.com/googleprojec...
It explores the heap to find interesting objects and corrupts them in a deterministic way using V8's memory corruption API. Happy fuzzing!
It explores the heap to find interesting objects and corrupts them in a deterministic way using V8's memory corruption API. Happy fuzzing!
Reposted by Alex Chapman
I presented my magnum opus in 2014 and have been in steady decline ever since.
July 21, 2025 at 4:48 PM
I presented my magnum opus in 2014 and have been in steady decline ever since.
Reposted by Alex Chapman
There are bad security takes, and then there is @daniel.haxx.se attempting to shame @jameskettle.com for not "responsibly disclosing" a vulnerability to the curl project that doesn't affect the curl project... and _then_ complaining the details are being kept "secret" :facepalm:
daniel:// stenberg:// (@bagder@mastodon.social)
@albinowax@infosec.exchange @fuomag9@kiwi.fuo.fi @dan@infosec.exchange the website, the naming, the scare, the secrecy
mastodon.social
July 21, 2025 at 12:28 PM
There are bad security takes, and then there is @daniel.haxx.se attempting to shame @jameskettle.com for not "responsibly disclosing" a vulnerability to the curl project that doesn't affect the curl project... and _then_ complaining the details are being kept "secret" :facepalm:
I presented my magnum opus in 2014 and have been in steady decline ever since.
July 21, 2025 at 4:48 PM
I presented my magnum opus in 2014 and have been in steady decline ever since.
There are bad security takes, and then there is @daniel.haxx.se attempting to shame @jameskettle.com for not "responsibly disclosing" a vulnerability to the curl project that doesn't affect the curl project... and _then_ complaining the details are being kept "secret" :facepalm:
daniel:// stenberg:// (@bagder@mastodon.social)
@albinowax@infosec.exchange @fuomag9@kiwi.fuo.fi @dan@infosec.exchange the website, the naming, the scare, the secrecy
mastodon.social
July 21, 2025 at 12:28 PM
There are bad security takes, and then there is @daniel.haxx.se attempting to shame @jameskettle.com for not "responsibly disclosing" a vulnerability to the curl project that doesn't affect the curl project... and _then_ complaining the details are being kept "secret" :facepalm:
After the intense focus of Live Hacking Events, I often find myself at quite a deep emotional low point. The highs of the event fade, focus needs to completely shift to other, usually less valuable, targets. I find these events hugely rewarding, but need to remember to be kind to myself after them.
July 16, 2025 at 12:57 PM
After the intense focus of Live Hacking Events, I often find myself at quite a deep emotional low point. The highs of the event fade, focus needs to completely shift to other, usually less valuable, targets. I find these events hugely rewarding, but need to remember to be kind to myself after them.
Reposted by Alex Chapman
If you have a machine with PKEY support and somewhat recent Linux kernel you can now play around with hardware support for the V8 sandbox. When active, JS + Wasm code has no write permissions outside the sandbox address space. To enable, simply set `v8_enable_sandbox_hardware_support = true`.
July 9, 2025 at 9:04 AM
If you have a machine with PKEY support and somewhat recent Linux kernel you can now play around with hardware support for the V8 sandbox. When active, JS + Wasm code has no write permissions outside the sandbox address space. To enable, simply set `v8_enable_sandbox_hardware_support = true`.
Famous last words:
> This just leads to weird behavior, not a vulnerability
> This just leads to weird behavior, not a vulnerability
July 9, 2025 at 7:34 AM
Famous last words:
> This just leads to weird behavior, not a vulnerability
> This just leads to weird behavior, not a vulnerability
Reposted by Alex Chapman
Today was my last day as a pentester at Bsecure. After a three-year journey of hunting on the side, I’m ready to go all-in as a full-time bug bounty hunter. You can read about my journey from pentester to full-time hunter here: gelu.chat/posts/from-p...
Finding Freedom, One Bug at a Time: My Journey from Pentester to Full-Time Hunter
After seven years in pentesting, I transitioned full-time into bug bounty hunting, leveraging deep experience and continuous learning. This article shares key moments and insights from that journey.
gelu.chat
July 4, 2025 at 3:09 PM
Today was my last day as a pentester at Bsecure. After a three-year journey of hunting on the side, I’m ready to go all-in as a full-time bug bounty hunter. You can read about my journey from pentester to full-time hunter here: gelu.chat/posts/from-p...
Yesterday I discovered it's theoretically possible to create an ASCII Jar file, one where each byte of the file is a valid ASCII character. Today I'm trying to create one.
Sometimes I regret my impulses.
Sometimes I regret my impulses.
July 2, 2025 at 11:53 AM
Yesterday I discovered it's theoretically possible to create an ASCII Jar file, one where each byte of the file is a valid ASCII character. Today I'm trying to create one.
Sometimes I regret my impulses.
Sometimes I regret my impulses.
I often find when explaining complex exploits that it can appear like such an unlikely event that the exploitable steps exist. In reality it's just _this_ is the particular set of unlikely steps I found. I'm sure there are others, but I stopped looking after these steps were successful 🤔
July 1, 2025 at 1:11 PM
I often find when explaining complex exploits that it can appear like such an unlikely event that the exploitable steps exist. In reality it's just _this_ is the particular set of unlikely steps I found. I'm sure there are others, but I stopped looking after these steps were successful 🤔