Other Posts

Kevin Cui


blog

Jun 6, 2026 • on AI, bugbounty, thoughts • 600 words 3 min. read

From Script Kiddie to Prompt Kiddie: Bug Bounty in the AI Era

coverimage

You just signed up for a bug bounty platform. You’ve never written a line of SQL or dissected a packet trace. But you have an AI and a fine-word prompt: “find all vulnerabilities in this.” Fifteen seconds later, you copy-paste a report into a submission. You don’t know what XSS actually is, but the AI says it found one. So do a thousand others. The triage queue instantly drowns an ocean of noise.

Welcome to bug bounty in the age of AI.

The Great Flood

Bug bounty programs are drowning. Every hallucinated or non-exploitable finding gets blasted to triage. A path traversal on a dead, static endpoint. A SQL injection attempt successfully neutralized by parameterized queries. A CRLF injection instantly dropped by the WAF… To a human engineer with context, these are obvious non-starters. To a prompt kiddie, they look like easy paydays. As a result, platforms are tightening submission limits, forcing legitimate researchers to battle an avalanche of automated garbage.

Script Kiddie -> Prompt Kiddie

The moniker changed; the mindset didn’t. Script kiddies point-and-clicked tools they couldn’t explain. Prompt kiddies fire off “Check for IDOR” and dump the raw markdown verbatim. No validation. No proof of concept.

The real victim here isn’t the triage queue, it’s the prompt kiddie who behinds the keyboard. Dumping AI-generated reports teaches zero transferable skills. You never build the intuition for where vulnerabilities actually hide. Your professional growth flatlines because the LLM did the intellectual heavy lifting. The core fundamentals: HTTP mechanics, cryptography, complex business logic, which remain untouched by the prompt kiddie.

Efficiency Is Not Effectiveness

AI is an incredible force multiplier for scaling from 1 to 100. It can automate wide-scope recon, format edge-case payloads, or map out messy endpoints,… if you already know the craft.

But AI inherently struggles with 0 to 1. It cannot chain an obscure response header into a critical privilege escalation. It cannot replicate the intuition built from thousands of hours reviewing code paths. That 0-to-1 gap is exactly where hacking remains an art form. AI can accelerate your learning, but it cannot do the learning for you. Outsource the cognition, forfeit the growth.

A Note for Beginners

If you’re a beginner, don’t let this landscape discourage you. Everyone starts at zero, and not knowing things is part of the deal. The temptation to let a prompt do the heavy lifting is intoxicating, but that shortcut is a trap.

Master the basics first. Learn what an HTTP request looks like. Understand how authentication and authorization differ. Read other researchers’ writeups. Replicate their findings by hand. Every vulnerability you find on your own, no matter how small, teaches you more than a hundred AI-generated reports ever will.

The Hard Path Forward

AI can be your best teacher. Ask it to break down complex OAuth flows or explain why an edge-case payload executes. Use it to explain code you don’t understand. But always verify. Always ask why. The goal is not to collect bounties, it is to become someone who can find them with or without an AI model’s help.

Treat AI as a sparring partner, not a substitute. The researchers who thrive are the ones who can look at an AI finding and say “false positive” with confidence earned through experience.

AI takes you from 1 to 100, however, getting from 0 to 1 is entirely on you. That hasn’t changed, and that’s exactly what makes this field worth learning.