'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
I strongly believe security research and bug bounty hunting are the biggest opportunities of this decade, empowered by AI developments and usage. I have been preparing myself for that in the past three years, and here I’ll explain exactly what I did and why I believe we are living a paradigm shift security-wise that will benefit those who learn how to navigate this shift.
It is undeniable that artificial intelligence developments have changed the way we websearch, learn, code, hack, and protect our apps and servers.
This change can even get a bit scary sometimes…
On that, we recently saw the CalCom team calling open-source software dead while closing the source code for its commercial software and server endpoints. Their thesis is that AI makes it much easier for threat actors to find vulnerabilities and exploit them, putting OSS at risk.
While the premise is true (AI makes it easier to find vulnerabilities and write working exploits), I strongly disagree that open-source is dead and that the shift only benefits black-hat hackers. This is what I want to talk about in this article.
AI Brings More Eyes to Open-Source
First, I want to attack the myth that being open-source is a disadvantage in the AI era.
It is not. It is quite the opposite, actually.
Closed-source code still has vulnerabilities and can still be hacked. Reverse engineering, penetration, DDoS, and many techniques can be (and have been) applied to compromise systems that are inside a code black box. Likewise, AI leverages all these techniques and shortens the learning curve for them too—just like it does for open-source exploits.
Linus’s law remains as relevant (if not more) today, in the AI age, as it was before.
"Given enough eyeballs, all bugs are shallow."
Notably, the same way AI has democratized access and shortened the learning curve for black hat hackers, it has also done the same thing for white hat hackers and security teams.
Before, people who were not professional auditors, experienced software engineers, or high-level hackers could hardly help with independently auditing open-source code they use and support. Now, all these thousands of extra eyeballs can learn much quicker and run tools more efficiently to audit OSS, hunt vulnerabilities, and write good PoC exploits to test their findings.
Companies can also automate and increase the efficiency of their security teams for paid audits or internal, routine verification.
In summary, the same tools (AI) that can be used for attacks can also be used to increase security. AI benefits everyone who learns how to use it and adapts to the new paradigm and reality we are living in.
With all that, bug bounty hunting and security research gain a very special leverage and become fantastic allies for projects that learn how to use them properly.
Building a solid bug bounty program, with the right incentives and due maintenance (being highly responsive and efficient while dealing with the reports), can strengthen open source security in a way it wasn’t possible before.
On the other side of the same coin, competent security researchers and bug bounty hunters have a massive opportunity in front of them. Competition will likely increase, but so will the demand for these services, in my opinion.
We can’t forget that AI has also created a lot of vibe coders with low-to-no software engineering experience, which means more bugs in poorly written production code.
I truly believe these activities (security research and bug bounty hunting) are one of this decade’s biggest opportunities. Both for ethical hackers and businesses. Thus, this is what I’ve been preparing myself for in the past three years, and I’m ready to start collecting the fruits.
How I Became a Security Researcher
So, I’ve been writing and creating content for tech, crypto, privacy, and cybersecurity since 2020. I started as a journalist, mostly just fact-checking and reporting about these topics, even when I didn’t know much about them all. Reading good sources, covering events, and doing interviews with experts have helped my learning process a lot and made me passionate about these things.
In 2023, I decided to go a step further.
In order to improve my writing and market value, I decided to learn how software engineers and hackers think. What’s their thinking process? What methods do they apply at work? How is software created, and what happens after that? How can apps and servers be hacked, and how to avoid that?
To answer these questions, I knew I needed to learn the same things they learned.
Step 1 – Learn Programming Languages
The most obvious first step, then, was to learn how these people communicated with the machines. This happens via programming languages, and there are quite a few of them—each with their own particularities.
Most open-source projects I was interested in (crypto like Zcash, smart contracts like NEAR, VPNs like Nym, and others) were written in Rust. I learned to hate and love Rust at the same time in the following 3 to 6 months, diving into Rust’s book (The Book!), crates, and production code from the OSS I was using.
rustup doc --bookI wrote my first `hello-world.rs` program, then my first smart contract deployed to a testnet, and, three years later, I still have a lot to learn.
Python was my second language of choice, and I wrote a few scripts to help with my daily activities. It’s also the most-used language in security and much easier to learn once I had a solid basis in programming fundamentals that I acquired while studying Rust.
In the meantime, I migrated from MacOS to Ubuntu, then Arch Linux—installing my first distro from the ground up. Bash lessons came naturally in this process, interacting with the command-line interface (CLI), together with an increased knowledge of how operating systems work under the hood.
Step 2 – How Everything Works
So, by this point I had already learned a lot, but I needed more. The more I studied, the more I realized how I loved it all and all the doors this knowledge could open to me, now as a technical writer and specialized content creator.
I started thecoding in late 2025, promising to “decode” complex topics and present them digested, in an easy language most people could understand. My free publication (thecoding.substack.com) started earning subscribers, and both my follower count and engagement rate on X (at vinibarbosabr) surged.
This was the evidence I needed that there is demand for high-quality technical content in open-source development, blockchain, and security. So, I doubled down!
Started taking security lessons online (mostly on TryHackMe) and doing capture-the-flag exercises. I learned about other operating systems, networks, data management, offensive and defensive security, and many other interesting things that have only fed my curiosity.
Step 3 – Auditing and Bug Bounty Hunting
It was just recently that I finally felt confident in putting all my knowledge into practice and made my account on HackenProof.
Right now, I’m auditing some projects and getting better at this task in particular. Articles from Zakaria Eddafri are helping me a lot to understand the mind of a smart contract auditor—like How to Read Any Smart Contract Project Without Getting Lost and I’m also starting to write some scripts in Python, adapted to my needs.
AI has had an active participation throughout all the three steps and, on that, one thing I have to say is that AI must be used properly for optimized learning.
If you are starting in software engineering, security research, bug bounty hunting, or whatever other activity with AI assistance, you should not be using the LLM as your assistant but rather as your teacher and mentor.
You should prompt-engineer it to explain in depth each step, each action, and each code snippet it is suggesting you to make or use. And you should only move to the next step once everything you are doing is crystal clear. Every lesson counts and compounds.
You will have enough time to use the AI purely as an assistant to increase your productivity after you learned everything.
I hope I can soon have my first security report published and approved by one of the projects I’m auditing, and maybe I can get back here with a new article talking about that experience and the new learnings I acquired in the process.
Conclusion
Bug bounty hunting and security research are not just career paths — they are a response to a structural shift in how software is built, broken, and defended. AI has lowered the barrier to entry on both sides of that equation, but the researchers who invest in genuine understanding will always have an edge over those who rely purely on automation.
The opportunity is real. The demand is growing. And as vibe-coded, AI-generated software floods production environments, the people who know how to find what others missed will be exactly who the industry needs.
If you are thinking about starting, start now. Learn slowly, understand everything, and use AI as a teacher before you use it as a tool. The compounding effect of that approach is exactly what this article is about.
