Using AI to Find Authorization Bugs
Bug bounty programs are changing. Some programs stopped paying rewards. Others cut payouts by 80%. The reason is not that AI finds too many bugs. The reason is that AI finds too many wrong bugs. Triage teams are drowning in low-quality reports.
In this environment, the most important skill is not finding bugs. It is proving that a bug does not exist. You must find the correct negatives.
I use a two-stage method for source-available targets.
Stage 1: Fan-out Use cheap AI models to read the code. Split the target into small pieces. Ask the model to find broken invariants. Look for places where an object loads without an owner check or where a security gate is skipped. Aim for high recall. Expect many mistakes.
Stage 2: Adversarial Verification Use an expensive, high-reasoning model to kill the candidates. Assume every candidate is refuted. A candidate only survives if you can cite specific lines of code. You must prove the path is reachable and no other check blocks it.
The most valuable output is a list of refutations. This list builds trust with triagers.
I tested Ory Kratos, an open-source identity server. I looked at the settings flow. This area handles password changes and email updates. A single mistake here leads to account takeover.
The first stage found a tempting bug. In the OIDC strategy, a specific container lacks an identity binding. If you only look for missing checks, you would report this as a high-severity bug.
That would be a mistake.
The missing binding is not exploitable. The system gets the target identity from a live session cookie or a signed token. The container traits never apply to the actual write target. The design holds.
Reporting this would waste time and hurt your credibility. The value I provided was the confidence to not file a report.
When I used this same method on a different target, I found a real bug. An alternate entry point missed an authorization check that the main path enforced. A revoked user could still enter through a side door. This bug was high-impact and invisible to standard scanners.
Gatekeepers are building walls against volume. To succeed, your AI work must be rigorous. Use AI to read more code than a human can. Then use AI to prove yourself wrong before you hit submit.
Focus on signal, not volume.
