Episodes

  • Episode 161: Cross-Consumer Attacks & DTMF Tone Exfil

    Episode 161: Cross-Consumer Attacks & DTMF Tone Exfil
    Feb 12 2026

    Episode 161: In this episode of Critical Thinking - Bug Bounty Podcast Justin Gives us some quick hits regarding CSRF and Cross Consumer Attacks, and also touches on some breaking questions surrounding HackerOne


    Follow us on twitter at: https://x.com/ctbbpodcast

    Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

    Shoutout to YTCracker for the awesome intro music!



    ====== Links ======

    Follow your hosts Rhynorater, rez0 and gr3pme on X:

    https://x.com/Rhynorater

    https://x.com/rez0__

    https://x.com/gr3pme


    Critical Research Lab:

    https://lab.ctbb.show/


    ====== Ways to Support CTBBPodcast ======

    Hop on the CTBB Discord at https://ctbb.show/discord!


    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.


    You can also find some hacker swag at https://ctbb.show/merch!


    Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26

    https://ztw.com/


    ====== This Week in Bug Bounty ======


    AS Watson

    https://app.intigriti.com/programs/aswatson/watsons/detail


    YesWeHack 2026 Report

    https://choose.yeswehack.com/hubfs/YWH%20Report/YesWeHack_2026_Report.pdf


    ====== Resources ======


    PhoneLeak: Data Exfiltration in Gemini via Phone Call

    https://blog.starstrike.ai/posts/phoneleak-data-exfiltration-in-gemini-via-phone-call/


    Max's Tweet about decreasing bounties

    https://x.com/0xw2w/status/2020788164378427483


    HackerOne General Terms and Conditions

    https://www.hackerone.com/terms/general


    Research Review #-2: RCE in Google's AI code editor Antigravity (sudi)

    https://www.youtube.com/watch?v=JqvJSF2UMyY


    ====== Timestamps ======

    (00:00:00) Introduction

    (00:03:26) YesWeHack 2026 Report

    (00:09:12) CSRF Realizations & Data Exfiltration in Gemini via Phone Call

    (00:14:38) 7urb0's Youtube, HackerOne decreasing bounties and Section 3.1 controversy.

    (00:19:06) Cross Consumer Attacks
    Show More Show Less
    25 mins
  • Episode 160: Cloudflare Zero-days & Mail Unsubscribing for XSS

    Episode 160: Cloudflare Zero-days & Mail Unsubscribing for XSS
    Feb 5 2026

    Episode 160: In this episode of Critical Thinking - Bug Bounty Podcast Joseph and Brandyn. Chat through some news, Including a Cloudflare Zero-day, Turning List-Unsubscribe into an SSRF/XSS Gadget, & Magic String Denial of Service in Claude.


    Follow us on twitter at: https://x.com/ctbbpodcast

    Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

    Shoutout to YTCracker for the awesome intro music!


    ====== Links ======

    Follow your hosts Rhynorater, rez0 and gr3pme on X:

    https://x.com/Rhynorater

    https://x.com/rez0__

    https://x.com/gr3pme


    Critical Research Lab:

    https://lab.ctbb.show/


    ====== Ways to Support CTBBPodcast ======

    Hop on the CTBB Discord at https://ctbb.show/discord!


    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.


    You can also find some hacker swag at https://ctbb.show/merch!


    Today’s Sponsor: Adobe.

    Use code CTBB040126, and get a 10% bonus on your bounty for any AI vulnerability which is mapped to the OWASP LLM top 10.

    Valid on Adobe Acrobat Web - AI Assistant / PDF Spaces / Content Creation and presentation features using Express

    Adobe Express AI Assistant.

    Valid through April 1st, 2026


    Also we have a Google Cloud VRP Swag Bonus! Mention the podcast in any rewarded (cash or credit) VRP report submission before the end of April to receive bonus swag!


    ====== Resources ======

    Cloudflare Zero-day

    https://fearsoff.org/research/cloudflare-acme


    Turning List-Unsubscribe into an SSRF/XSS Gadget

    https://security.lauritz-holtmann.de/post/xss-ssrf-list-unsubscribe/


    Breaking Multi-Tenant Isolation in Heroku Postgres

    https://allistair.sh/blog/breaking-heroku-postgres/


    Parse and Parse: MIME Validation Bypass to XSS via Parser Differential

    https://lab.ctbb.show/research/parse-and-parse-mime-validation-bypass-to-xss-via-parser-differential


    Claude Magic String Denial of Service

    https://x.com/Frichette_n/status/2013988503336415522


    From WebView to Remote Code Injection

    https://djini.ai/from-webview-to-remote-code-injection/


    DOM XSS Is Not Dead: The Rise of Polyglot Payloads

    https://blogs.jsmon.sh/dom-xss-is-not-dead-the-rise-of-polyglot-payloads/


    ====== Timestamps ======

    (00:00:00) Introduction

    (00:06:17) Cloudflare Zero-day & Turning List-Unsubscribe into an SSRF/XSS Gadget

    (00:16:57) Breaking Multi-Tenant Isolation in Heroku Postgres & CTBB Research

    (00:25:46) Claude Magic String Denial of Service & From WebView to Remote Code Injection
    Show More Show Less
    45 mins
  • Episode 159: Avoiding Downgrades on Google Cloud VRP with Cote and Darby Hopkins

    Episode 159: Avoiding Downgrades on Google Cloud VRP with Cote and Darby Hopkins
    Jan 29 2026
    Episode 159: In this episode of Critical Thinking - Bug Bounty Podcast we sit down with the Google Cloud VRP Team to deep-dive policy and reward changes, what the panel process looks like, and how to best configure for success.Follow us on XGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater, rez0 and gr3pme on X:====== Ways to Support CTBBPodcast ======Hop on the CTBB DiscordWe also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Get some hacker swagToday's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26https://ztw.com/Google Cloud VRP Swag Bonus! Mention the podcast in any rewarded (cash or credit) VRP report submission before the end of April to receive bonus swag!Today’s Guests:Darby HopkinsMichael Cote====== This Week in Bug Bounty ======AI Red Teaming Explained by AI Red TeamersGood Faith AI Research Safe HarborJoin the Adobe LHE at NULLCON GOA====== Resources ======‘Legendary Guy’ - Jakub DomerackiGoogle Cloud VRP rewards rulesGoogle Cloud VRP product tiersBug Hunters blog on the 2025 Google Cloud VRP bugSWATGoogle VRP DiscordGoogle VRP on X====== Timestamps ======(00:00:00) Introduction(00:10:03) CloudVRP Bugswat Event Breakdown(00:16:40) VRP Policy & Rewards Changes(00:04:50) Panel Process(01:00:08) Configuring for Success & Avoiding Downgrades(01:33:47) Scenarios for Success
    Show More Show Less
    1 hr and 47 mins
  • Episode 158: 10hr Marathon Hack-Along Recap + $300k Client-side Bugs

    Episode 158: 10hr Marathon Hack-Along Recap + $300k Client-side Bugs
    Jan 22 2026

    Episode 158: In this episode of Critical Thinking - Bug Bounty Podcast we talk about our personal takeaways from the CTBB Charity Hackalong, and then break down some InsertScript POCs, what a $55,000 bug can look like, and if Smart People Ever Say They’re Smart.


    Follow us on twitter at: https://x.com/ctbbpodcast

    Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

    Shoutout to YTCracker for the awesome intro music!



    ====== Links ======

    Follow your hosts Rhynorater, rez0 and gr3pme on X:

    https://x.com/Rhynorater

    https://x.com/rez0__

    https://x.com/gr3pme


    Critical Research Lab:

    https://lab.ctbb.show/


    ====== Ways to Support CTBBPodcast ======

    Hop on the CTBB Discord at https://ctbb.show/discord!


    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.


    You can also find some hacker swag at https://ctbb.show/merch!


    Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26

    https://ztw.com/


    ====== Resources ======

    InsertScript - XSS Challenge Solution

    https://insert-script.blogspot.com/2020/03/xss-challenge-solution-refresh-header.html


    InsertScript - Redirect AuthHeader

    https://www.insert-script.com/examples/redirectAuthHeader/send.html


    CRLF injection on a 302 redirect

    https://x.com/0xdef1ant/status/2009040359482118500


    Multiple XSS in Meta Conversion API Gateway Leading to Zero-Click Account Takeover

    https://ysamm.com/uncategorized/2025/01/13/capig-xss.html


    Arcanum Hack Tips

    https://github.com/Arcanum-Sec/hack_tips


    Trail of Bits Releases Claude Skills

    https://x.com/dguido/status/2011541318229533063


    what a $55,000 bug can look like

    https://x.com/the_IDORminator/status/2007480636244697237


    Pwning Claude Code in 8 Different Ways

    https://flatt.tech/research/posts/pwning-claude-code-in-8-different-ways/


    Do Smart People Ever Say They’re Smart?

    https://labs.watchtowr.com/do-smart-people-ever-say-theyre-smart-smartertools-smartermail-pre-auth-rce-cve-2025-52691/



    ====== Timestamps ======

    (00:00:00) Introduction

    (00:04:18) Technical takeaways from CT Charity Hackalong

    (00:22:21) InsertScript POCs & Rez0 and teknogeek's IOT Adventures

    (00:32:16) CRLF injection on a 302 redirect & Multiple XSS in Meta

    (00:41:00) Trail of Bits, what a $55,000 bug can look like, & Pwning Claude Code

    (00:54:16) Do Smart People Ever Say They’re Smart?
    Show More Show Less
    59 mins
  • Episode 157: Crushing Pwn2Own & H1 with Kernel Driver Exploits

    Episode 157: Crushing Pwn2Own & H1 with Kernel Driver Exploits
    Jan 15 2026

    Episode 157: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Hypr to talk about hacking Mediatek and his experiences with HackerOne and Pwn2Own Ecosystems.

    Follow us on twitter at: https://x.com/ctbbpodcast

    Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

    Shoutout to YTCracker for the awesome intro music!

    ====== Links ======

    Follow your hosts Rhynorater, rez0 and gr3pme on X:

    https://x.com/Rhynorater

    https://x.com/rez0__

    https://x.com/gr3pme

    Critical Research Lab:

    https://lab.ctbb.show/

    ====== Ways to Support CTBBPodcast ======

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    You can also find some hacker swag at https://ctbb.show/merch!

    Today’s Guest: https://x.com/hyprdude

    ====== This Week in Bug Bounty ======

    Top 10 web hacking techniques of 2025: call for nominations

    https://portswigger.net/research/top-10-web-hacking-techniques-of-2025-nominations-open

    CVE-2025-13467

    https://access.redhat.com/security/cve/cve-2025-13467

    ====== Resources ======

    Hypr's Blog

    https://blog.coffinsec.com

    mediatek? more like media-rekt, amirite.

    https://blog.coffinsec.com/0days/2025/12/15/more-like-mediarekt-amirite.html

    kernel-utils

    https://github.com/mellow-hype/kernel-utils

    ====== Timestamps ======

    (00:00:00) Introduction

    (00:03:23) Heap Overflow in Mediatek Kernel Drivers

    (00:19:23) Kernel Debugging & ioctl Handlers

    (00:43:30) Input Structs, Sync to Source, & Privilege Escalation

    (00:51:30) HackerOne Ecosystem vs Pwn2Own Ecosystem

    (01:17:00) Kernel Utils

    (01:26:46) Real World Bugs for Exploit Development vs CTFs
    Show More Show Less
    1 hr and 35 mins
  • Episode 156: Chill AMA from bugbounty.forum

    Episode 156: Chill AMA from bugbounty.forum
    Jan 8 2026

    Episode 156: In this episode of Critical Thinking - Bug Bounty Podcast we answer some fantastic questions from over at bugbounty.forum

    Follow us on twitter at: https://x.com/ctbbpodcast

    Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

    Shoutout to YTCracker for the awesome intro music!

    ====== Links ======

    Follow your hosts Rhynorater, rez0 and gr3pme on X:

    https://x.com/Rhynorater

    https://x.com/rez0__

    https://x.com/gr3pme

    ====== Ways to Support CTBBPodcast ======

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    You can also find some hacker swag at https://ctbb.show/merch!

    ====== Resources ======

    Critical Thinking Lab

    lab.ctbb.show

    Cross-Site ETag Length Leak

    https://blog.arkark.dev/2025/12/26/etag-length-leak

    Clawdbot

    https://github.com/clawdbot/clawdbot/

    Post from Steve Caldwell

    https://x.com/moreconfetti/status/2006494133159162008

    ====== Timestamps ======

    (00:00:00) Introduction

    (00:00:58) Crit Lab update

    (00:04:36) Cross-Site ETag Length Leak

    (00:13:26) Clawdbot

    (00:16:56) Will bug hunting become obsolete, LHE invitations, and Fulltime vs Part time?

    (00:30:52) 10 bugs at $5k or 1 bug at $5k, CTBB Background, & Future Plans

    (00:38:32) Mentoring, Conquering Classes, and what angles we implement from the podcast

    (00:49:27) Best approach on new targets, tips for making 500k in a year, AI/Vibecoding & Human in the Loop

    (00:59:07) Mentally mapping the target, anti-patterns that waste time, and BB beliefs that were wrong.

    (01:10:12) Tackling small scope, staying on one program, picking up after a break, & moving on

    (01:17:41) Invisible elements that make the difference between $2k and $20k
    Show More Show Less
    1 hr and 23 mins
  • Episode 155: 2025 Hacker Stats & 2026 Goals

    Episode 155: 2025 Hacker Stats & 2026 Goals
    Jan 1 2026

    Episode 155: In this episode of Critical Thinking - Bug Bounty Podcast Justin, Joseph, and Brandyn reflect on last year of Bug Bounty, and list their goals and predictions for what 2026 holds.

    Follow us on twitter at: https://x.com/ctbbpodcast

    Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

    Shoutout to YTCracker for the awesome intro music!

    ====== Links ======

    Follow your hosts Rhynorater, rez0 and gr3pme on X:

    https://x.com/Rhynorater

    https://x.com/rez0__

    https://x.com/gr3pme

    ====== Ways to Support CTBBPodcast ======

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    You can also find some hacker swag at https://ctbb.show/merch!

    ====== Resources ======

    2024 Hacker Stats & 2025 Goals

    https://blog.criticalthinkingpodcast.io/p/hackernotes-ep-104-2024-hacker-stats-2025-goals

    ====== Timestamps ======

    (00:00:00) Introduction

    (00:02:08) 2025 Full Time Hunting Retrospective

    (00:10:19) Most Fulfilling Moments and Bugs

    (00:17:56) Satisfaction with 2025 Stats

    (00:45:28) Automation, Organization, and Collaboration

    (00:48:55) Time and Motivation

    (01:08:01) Goals and Predictions for Bug Bounty in 2026
    Show More Show Less
    1 hr and 32 mins
  • Episode 154: Starting a Pentesting Company on Top of Bug Bounty

    Episode 154: Starting a Pentesting Company on Top of Bug Bounty
    Dec 25 2025

    Episode 154: In this episode of Critical Thinking - Bug Bounty Podcast Joseph and Brandyn talk through the transition from Bug Bounty hunting to Pentesting. We cover diversifying income streams, the challenges of pricing for Pentests, legal considerations, and what Bug Hunters can bring to the Pentesting world

    Follow us on twitter at: https://x.com/ctbbpodcast

    Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

    Shoutout to YTCracker for the awesome intro music!

    ====== Links ======

    Follow your hosts Rhynorater, rez0 and gr3pme on X:

    https://x.com/Rhynorater

    https://x.com/rez0__

    https://x.com/gr3pme

    ====== Ways to Support CTBBPodcast ======

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    You can also find some hacker swag at https://ctbb.show/merch!

    ====== Timestamps ======

    (00:00:00) Introduction

    (00:03:36) Starting a Pentesting Company

    (00:12:25) Advantages of Pentesting as a Bug Bounty Hunter

    (00:29:03) Pricing, Sales, and knowing your Market/Worth

    (00:36:21) Compliance in Pentests & Rapid-Fire Takaways
    Show More Show Less
    41 mins