Last month I started systematically scanning open-source ML repositories for security vulnerabilities using Claude Code. 33 days later, I have 113 confirmed vulnerabilities across a single project, a pipeline worth $62K-$158K in bounties, and a repeatable process anyone can use.
Here's exactly how it works.
The Target: ML Model Security Scanners
ML model files (pickle, PyTorch, TensorFlow SavedModel) can contain arbitrary code that executes on load. Tools like modelscan exist to detect malicious payloads before they run. The question I asked: how good are these scanners, really?
Answer: not good enough. I found 116 distinct bypass techniques that pass the latest version (0.8.8) with "No issues found!"
The Workflow
Step 1: Map the Attack Surface
Every scanner works on a blocklist — a list of known dangerous functions. The vulnerability isn't in what they block, it's in what they miss.
# Extract the blocklist from modelscan source
BLOCKED = {
"os.system", "subprocess.call", "builtins.exec",
"builtins.eval", "shutil.rmtree", ...
}
# Python stdlib has 300+ modules
# The blocklist covers ~40 functions
# That leaves 260+ modules to explore
I wrote a script that enumerates every stdlib module and checks which ones contain exec(), eval(), system(), or file I/O calls — and aren't on the blocklist.
Step 2: Generate Proof-of-Concept Payloads
For each unblocked module, I built a pickle payload that demonstrates the vulnerability:
import pickle
import struct
class MaliciousPayload:
"""Generates pickle bytecode that calls unblocked functions"""
def __reduce__(self):
# timeit.timeit calls exec() on the first argument
import timeit
return (timeit.timeit, (
"__import__('os').system('id')", # arbitrary command
"pass", # setup
None, # timer
1 # number of executions
))
# Save as .pkl — modelscan says "No issues found!"
with open("bypass.pkl", "wb") as f:
pickle.dump(MaliciousPayload(), f)
The key insight: Python's timeit.timeit() internally calls exec() on whatever string you pass it. It's not on any blocklist because it's a benchmarking tool. But it's a full RCE primitive.
Step 3: Verify and Classify
Every bypass gets tested against the latest scanner version and classified by severity:
| Severity | Criteria | Count |
|---|---|---|
| CRITICAL | Full RCE — arbitrary command execution | 18 |
| HIGH | File read/write, SSRF, or code loading | 24 |
| MEDIUM | DoS, resource exhaustion, info disclosure | 31 |
| LOW | Limited impact or requires chaining | 43 |
The 18 critical RCE chains are devastating. My favorite: importlib.import_module('os') combined with operator.methodcaller('system', 'whoami'). This single chain defeats the entire blocklist because importlib can load any module dynamically.
Step 4: Create Reproducible Evidence
Each vulnerability gets a public HuggingFace repository with:
- The malicious model file
- A README explaining the bypass
- Scan output proving it passes
113 repos. All public. All verified on modelscan 0.8.8.
Step 5: Automated Scanning at Scale
This is where Claude Code skills become powerful. Instead of manually auditing each module, I built a security scanning skill that:
- Parses Python source for dangerous function calls
- Cross-references against known blocklists
- Generates PoC payloads automatically
- Runs the target scanner to verify the bypass
The API Connector skill handles the HuggingFace API integration — uploading repos, managing model cards, batch operations across 113 repositories.
What I Learned About the Bounty Market
The Math
- Time invested: ~40 hours over 33 days
- Pipeline value: $62K-$158K (depending on per-report vs. bulk pricing)
- Hourly rate if paid: $1,550-$3,950/hr
- Current payout: $0 (submissions pending)
That last line matters. Pipeline ≠ revenue. The bottleneck isn't finding vulnerabilities — it's the submission and review process.
What Actually Pays
After scanning 1,700+ bounty issues across 13 platforms (Algora, HackerOne, Huntr, Expensify, GitHub bounty labels), here's what I found:
Pays well ($250-$3,000/vuln):
- Security vulnerabilities in ML/AI tools (Huntr)
- Expensify bugs ($250 each, but requires Upwork account)
- Infrastructure bounties (SigNoz dashboards: $150-$250 each)
Doesn't pay (or pays pennies):
- Generic code bounties on Algora (bone dry above $100)
- FinMind-style bounty farms (30+ bot submissions per issue)
- "Good first issue" tagged bounties (overcrowded within minutes)
Surprise winner: content bounties. Thesys pays $50-$100 per technical article about their OpenUI framework. I submitted 4 articles in one session. Lower ceiling, but guaranteed payout and zero competition.
The Tool Stack
For anyone building a similar workflow, here's what I use:
- Claude Code — the AI brain. Reads source code, identifies patterns, generates payloads
- Semgrep — static analysis for initial triage
- Custom Python scripts — payload generation and scanner verification
- HuggingFace Hub API — automated repo creation and model uploads
- Dashboard Builder skill — when bounties require building monitoring dashboards (SigNoz pays $150-$250 per dashboard template)
The Fundamental Problem with Blocklists
The deeper lesson: blocklist-based security is fundamentally broken for Python pickle.
Python's stdlib has 300+ modules. Many contain exec(), eval(), or system() calls buried in utility functions. You can't blocklist them all without breaking legitimate use. And even if you did, importlib.import_module() lets you load any module dynamically, making the entire blocklist concept moot.
The fix isn't a bigger blocklist. It's sandboxed deserialization — running pickle loads in an isolated environment where even successful code execution can't escape. That's a much harder engineering problem, which is why most tools still use blocklists.
Getting Started
If you want to try security bounty hunting with AI:
- Pick a narrow target. Don't scan everything. Pick one tool, one vulnerability class, go deep.
- Read the source. Blocklists, allowlists, and parsers all have edges. Find them.
- Automate verification. A bypass that hasn't been tested against the latest version isn't a bypass.
- Document obsessively. Bounty reviewers need reproducible steps, not "trust me it works."
- Start with content bounties. Lower risk, guaranteed payout, builds reputation while you learn the process.
The tools exist. The vulnerabilities exist. The bounties exist. The only bottleneck is doing the work.
The security scanning workflow described here uses Claude Code skills for automated vulnerability detection. For building API integrations with bounty platforms, check out the API Connector skill. For dashboard bounties, the Dashboard Builder skill generates SigNoz/Grafana templates from metrics specs.
