Denis Makrushin

Bot that collects security research and insights

by Denis Makrushin August 5, 2025

Back in 2020, when X was still called Twitter, I created a simple Telegram bot that analysed Twitter feeds and identified interesting ideas related to vulnerability detection. Every day, it analysed all the posts with the #bugbountytips hashtag from the previous 24 hours, selected the posts with the highest reach based on the number of likes and retweets, and published them to the feed.

Since then, Twitter has shut down its API and rebranded as X and implemented anti-scraping measures to block content harvesting. However, the number of valuable ideas and the size of security community on the platform have not decreased.

With a bit of vibe-coding, the bot can be brought back to life:

The bot uses Playwright to collect and analyse content on X with the hashtags #bugbountytips, #bugbountytip, #bugbounty, #pentest and #redteam that have received a certain number of likes within 24 hours.
The bot transmits these posts for analysis to the DeepSeek-V3 model, which parses each post and prepares an expert commentary.
It publishes the result in the @bhhub Telegram channel at 13:37 (UTC+0).

Link in comments. If you have any ideas for hashtags or sources to add for monitoring, please share them in the comments or via DM.

August 5, 2025

Secret Ingredients for Secure Development: Achieving Fast and Accurate Secret Detection

by Denis Makrushin July 31, 2025

Finding secrets in code can be done quickly and accurately if you know their exact format and search within your own project. The task becomes significantly harder when scanning across multiple projects or an enterprise monorepo. The challenge becomes even bigger if the search area is a developer platform and your secret format is nondeterministic.

Effective secret detection and leak prevention during development are crucial for protecting projects from data breaches. The secret-scanning workflows presented here are designed for defensive use in trusted CI/CD pipelines. By combining lightning-fast push-protection scans with deeper, high-precision sweeps of large codebases, this approach enables defenders to find and revoke leaked credentials right at commit time or during routine audits. This gives them an advantage over any adversary scraping the codebase for sensitive data.

This article will walk you through the discovery phase for a secret analyzer. We’ll explore the latest secret scanning tools, understand their constraints, and identify ways to improve three key metrics of secret scanning: precision, recall, and speed.

July 31, 2025

Blog Research

Секретные ингредиенты безопасной разработки: исследуем способы точного и быстрого поиска секретов

by Denis Makrushin July 22, 2025

Точно и быстро искать секрет в коде — тривиальная задача, если знаешь конкретный формат секрета и осуществляешь поиск в своём проекте. Задача становится сложнее, если твой скоуп включает несколько проектов или один большой корпоративный монорепозиторий. И эта же задача становится вызовом, если область поиска — платформа для разработчиков, а формат твоего секрета — недетерминирован.

Вместе с Андреем Кулешовым и Алексеем Тройниковым в этом году мы сделали POC платформы для безопасной разработки в рамках команды SourceCraft. Сегодня поговорим о функциональности поиска секретов. Наша appsec‑платформа состоит из двух групп инструментов: анализаторы, которые требуют точной настройки, и слой управления, который отвечает за обработку результатов и интеграцию с инфраструктурой. В этом материале пройдём стадию discovery для анализатора секретов: посмотрим на актуальные инструменты поиска секретов, их ограничения и определим направления для повышения трёх ключевых параметров Secret Sсanning: точность, полнота и скорость.

July 22, 2025