Vibe Coding Night // Hacker Bob
AI-generated bug reports are drowning every bounty program. HackerOne paused accepting submissions. Reviewing a fabricated report takes as long as reviewing a real one — sometimes longer, because you have to try to reproduce something that does not exist before you can close it.
The bottleneck was never recon. It is verification.
Hacker Bob installs a local MCP runtime into your project directory and connects it to Claude Code, Codex, or any MCP-capable host. One command. You point it at a target and it runs a full pipeline — RECON, AUTH, HUNT, CHAIN, VERIFY, GRADE, REPORT. Hunter gremlins fan out in parallel. Nuclei templates fire. Findings get chained into higher-impact scenarios.
Then three verification passes try to kill every finding before it reaches you. Skeptical Bob. Balanced Bob. Final-PoC Bob. Most tools in this space stop at "find a thing, write a report." Bob argues with itself about whether its own results are real.
The verification prompts are markdown files sitting in your project directory. Editable. Testable.
That is what we are building on.
Point Bob at a deliberately vulnerable target — Juice Shop, DVWA, whatever you bring. Run the full pipeline. Then crack open the verification stage and figure out why certain findings survived and others got discarded. What separates a sharp verification prompt from a lazy one. How do you tune adversarial self-dialogue to catch false positives without killing true positives.
Bring a laptop.
Hacker Bob repo: https://github.com/vmihalis/hacker-bob/