Using AI to find authorization bugs
Bug bounty programs are closing. Nextcloud stopped paid rewards because of low-quality AI reports. Mattermost ended its program. The Internet Bug Bounty cut payouts by 80 percent.
The problem is not that AI cannot find bugs. The problem is that AI creates many reports that look real but are wrong. Triage teams are drowning in this noise.
In 2026, the skill you need is not finding bugs. A model will give you fifty ideas before lunch. The real skill is proving why forty-nine of them are false. You need a method that produces correct negatives.
Use this two-stage method for source-available code:
Fan-out (Cheap Models) Split the authorization surface into small parts. Read each part in parallel. Look for broken rules. Look for places where an object loads without an owner check. Look for paths that skip security gates. Focus on finding every possible lead. Expect many false positives.
Adversarial Verification (Expensive Models) Take every lead and try to kill it. Start with the assumption that the lead is false. A lead only survives if you can show the exact lines of code proving the security guard is missing. You must prove the path is reachable and nothing else stops the attack.
The most important output is the list of refutations. A list of reasons why something is NOT a bug builds trust with triagers.
I tested Ory Kratos, an identity server. The system handles sensitive actions like changing passwords or emails. This is a high-risk area.
The first stage found a lead. It looked like a major flaw in how the system handles OIDC flows. A pattern-matching tool would call this a high-severity bug.
I used the second stage to verify it. I found that the missing check did not lead to an exploit. The system uses live session cookies and re-checks privileges at the final step. The flaw was not load-bearing.
If I reported that, I would lose credibility. The real value was the confidence to stay silent.
The same method found a real bug in a different target. A secondary entry point forgot to mirror an authorization check. The user could enter through a side door even after their access was revoked.
The winners in bug hunting will focus on signal, not volume. Use AI to read more code than a human can. Then use AI to prove yourself wrong before you submit a report.
Optional learning community: https://t.me/GyaanSetuAi
