winfunc @winfunction
autonomous AI security agents that audit your codebase, prove exploitable vulnerabilities, and deliver fixes your team can ship. winfunc.com San Francisco Joined December 2023-
Tweets45
-
Followers2K
-
Following1
-
Likes46
We discovered the same vulnerability too. :) And @winfunction discovered 4 more remote RCE primitives in NGINX soon to be publicly disclosed. Anywho, we're hiring security researchers with a knack on taming LLMs. If you're interested in novel vulnerability research and autonomous exploitation with language models, DM me and I'll send you a fun CTF to solve. :)
Introducing nginx-poolslip, a fresh RCE for the the latest nginx release 1.31.0. nginx-rift has been patched, but our security agent Vega has found a new 0 day. We will release the full technical writeup with ASLR bypass 30 days after the patch on nebusec.ai.
We're doing an experiment with open models @winfunction to see how far we can push them to find vulns in hardened targets. So far: - $4.5K in bounties from Chrome VRP with a few more pending, with the scans costing less than $100. - 2 CVEs in NGINX (CVE-2026-28755 & CVE-2026-42926). And watch out for the next release! - And 60ca500faea0fc70816bb9c53af3815e2af3e6c962b4b4ea63c33c62ebb4240d 👀 We're writing a blog on this soon.
During our YC (@ycombinator S24) batch, we had the awesome opportunity to meet @paulg and talk about what we're building: An autonomous AI hacker. To showcase a fun demo, I remember opening my laptop in the Uber to his home and challenging our agents to find vulnerabilities in the old HackerNews codebase written in Arc. For those unfamiliar, Arc is a programming language designed by PG and Robert Morris. And the old HN codebase is written in Arc. We only got to talk about it with him but we just redid the experiment with our improved harness for fun! And we wrote a blog about it: winfunc.com/research/hacki…
@cramforce oh good idea, just initiated an audit on just-bash!
Vulnerability benchmarks rot. Cases leak into training data, scores measure memorization. We built N-Day-Bench: tests LLMs on finding real vulnerabilities in real repos, refreshed monthly from live GitHub advisories. Blinded judging. All traces public. Very interestingly, the latest model from @Zai_org, GLM 5.1 performs really well! Link: ndaybench.winfunc.com
Currently testing GPT-5.4, Claude Opus 4.6, Gemini 3.1 Pro, GLM-5.1, and Kimi K2.5. Every run publishes the full audit trail — shell commands, judge rationale, curator answer key, sandbox history. If a score looks wrong, you can trace it to a specific shell session on a specific line of code. Results: ndaybench.winfunc.com
How it works: each month the benchmark pulls fresh cases from GitHub security advisories, checks out the repo at the last commit before the patch, and drops models into a sandboxed read-only shell (h/t just-bash by @cramforce). The model never sees the fix. It starts from sink hints and has to trace the bug through actual code. Only repos with 10k+ stars qualify. A diversity pass prevents any single repo from dominating the set. Ambiguous advisories (merge commits, multi-repo references, unresolvable refs) are dropped. Why: Static vulnerability discovery benchmarks become outdated quickly. Cases leak into training data, and scores start measuring memorization. The monthly refresh keeps the test set ahead of contamination — or at least makes the contamination window honest.
New CVE in NGINX - CVE-2026-28755 NGINX stream module allows TLS handshake to succeed with revoked client certificates when ssl_ocsp on is configured. This vulnerability was autonomously discovered by Winfunc's AI agent. Read the write-up here: winfunc.com/findings/CVE-2…
Node.js disclosed a bug submitted by @winfunction: hackerone.com/reports/3465156 #hackerone #bugbounty
The Recent CVEs in React and Node.js Were Found by an AI - winfunc.com/blog/recent-0-… In December 2025 and January 2026, an AI system autonomously discovered zero-day vulnerabilities in Node.js and React, two of the most widely deployed JavaScript runtimes and frameworks in the world. This post documents how these vulnerabilities were found, the technical details of the flaws, and what this means for the future of security research.
The Recent 0-Days in Node.js and React Were Found by an AI winfunc.com/blog/recent-0-…
New blog post: The Recent 0-Days in Node.js and React Were Found by an AI Covering the discovery of 0-days with AI, its implications, and "AI slop". Have a read. winfunc.com/blog/recent-0-…
we've a few more up our sleeves. soon. 👾
A new vulnerability in React Server Components (CVE-2026-23864) was disclosed today. One of the DoS vectors was discovered by me with the help of an AI agent @winfunction. Other vectors were also discovered by @ryotkak et al. All users should upgrade to a patched version as
A new vulnerability in React Server Components (CVE-2026-23864) was disclosed today. One of the DoS vectors was discovered by me with the help of an AI agent @winfunction. Other vectors were also discovered by @ryotkak et al. All users should upgrade to a patched version as soon as possible. vercel.com/changelog/summ…
🚨 CVE-2026-21636 in Node.js (@nodejs) Node.js permission model bypass via unchecked Unix Domain Socket connections (UDS) This vulnerability was autonomously discovered by winfunc.com, an AI agent that can find, exploit, and patch security vulnerabilities in codebases. Thanks to @_rafaelgss for triaging and fixing the issue.
Node.js Security Release Bulletin: nodejs.org/en/blog/vulner…
Read the Hacktivity here: winfunc.com/hacktivity/nod…
Chance Wang @ppdonow
755 Followers 643 Following Head of 3 Labs @AntGroup. Exploring the tech-business intersection. Transforming AI & Security into business momentum. AI/Risk/Data/Web3/Cyber/Red Teaming
JW @jerrywangbro
22 Followers 504 Following
malformX @malf0rmX
31 Followers 1K Following machines, circuits, codes, riddles, icecreams and Oranges
Brian Halbach ☕️ @brianhalbach
1K Followers 6K Following Who has two thumbs and can count to ten. Does cyber security things | abyss gazer | opinions are my own | (he/him)
Jonas Lejon @jonasl
27K Followers 13K Following Cyber Security since 1998 ✌️ Also known as @kryptera - Chairman of the board at @ISOCSE
nepomucen @nepomucen22
1 Followers 227 Following
张若尘 @ruo_zhang96325
0 Followers 118 Following
cosy @cosy294
62 Followers 1K Following
陈广 @chain00x
7K Followers 480 Following Call me xsskiller! Full time bug bounty hunter in China🇨🇳 Tencent Cloud Security Public Testing ranked No.1 and Tencent Security Response Center ranked No.2
Sudoku @SudokusFull
0 Followers 1K Following
7319xjushbxnd @xa8zaYxG8CU18dv
0 Followers 137 Following
cyberresponder @Malwarenailed
264 Followers 3K Following tweets and opinions are my own. dfir/threat hunting/malware research
Sean Kilfoy @SeanyBatman
104 Followers 982 Following
nirzaa @isItReallyMrDok
2 Followers 208 Following
kou.izumi @kou_izumi_kun
64 Followers 716 Following
Pas @is_exzettabyte
0 Followers 119 Following
Rich Mirch @0xm1rch
2K Followers 3K Following UNIX/Linux Sysadmin turned Penetration Tester, Security Researcher
chasingflares @chasingflares
0 Followers 105 Following
zzzzzz @zzzzzzgtfl
0 Followers 141 Following
Ashish Kunwar @D0rkerDevil
13K Followers 6K Following ex @Microsoft | Vulnerability Research | ios/mac research 🙂
Andrew Nairn @ACNzederr
26 Followers 529 Following
Abdul Mhanni @abdo_mhanni
182 Followers 804 Following Part Time Penetration tester, Full Time Script Kiddie | 46xCVEs | Love all things Windows/Active Directory
FORWARD CODE SOLUTION @hennfin
22 Followers 409 Following Founder @ForwardCodeSol 🚀 AI & Cybersecurity Expert 🤖 Helping European businesses integrate AI safely | Italy 🇮🇹 | you need? we ready!
Niv Levy 🇮🇱 @restr1ct3d
6K Followers 4K Following Penetration Testing Engineer / Bug Bounty Hunter / OSCP, OSWE, GCPN
gh0st🇧🇯 @YAssossou
41 Followers 285 Following Cyber security enthusiast 👨🏽💻 Culer forever 💙♥️ Anime addict 🤤✨
Alex @iPazu_
68 Followers 904 Following
Medeirus @jmedeiros1337
58 Followers 195 Following
Yu-Fu Fu @fuyu0425_tw
57 Followers 1K Following Personal Account. Only accept people I know personally. English & Public tweets @fuyu0425_en
Ahmed Fatouh @XDev05
1K Followers 2K Following Sr. Penetration Tester @rasantechnology | OSCP | eCPTXv2 | eCPPTv2 | eWPTXv2 | HTB APTLabs | Cyber Security Geek | CTF Player | Machines Breaker | C0d3r
Salah Abbas @0utwrest
104 Followers 597 Following swe @ big tech | ml + cyber + software | ctf w/ idek & spl & uscyberteam
Vikas Anil Sharma @VikzSharma
2K Followers 1K Following Cybersecurity Entrepreneur | Building @agilehunt | Helping SaaS & Enterprises stay secure
Ahmet az da olsa Gül... @ahmtglr1905
79 Followers 1K Following App sec and idiotic cyber security titles Au moins essai im not jesus, you can run away
badmash jatt @badmash1337
624 Followers 895 Following 🇵🇰📍سرزمینیں پک جابستان |🚜🌾👨🌾 منزلاں دلیرا دا استقبال کردیاں نے پر بزدلاں نوں تے راوا دا خوف ہی مار دیندا اے
Ali Babaeipour @HckTech1
42 Followers 445 Following Bug Bounty Hunter | Penetration Tester | Security Researcher
xunt @H4ckH4ck
48 Followers 664 Following
ASI @x_x10o9
209 Followers 1K Following Vulnerability Researcher --- Actively looking for Opportunities
Jonathan Metzman @metzmanj
2K Followers 627 Following I do fuzzing on Google's Open Source Security Team. I work on OSS-Fuzz/ClusterFuzz/FuzzBench. Speaking on behalf of myself, not my employer.
Y Combinator @ycombinator
1.6M Followers 364 Following We help founders make something people want. Subscribe to our newsletter: https://t.co/sjqjxxBeLcTrends for United States
You might like
