Startup Ideas Bank
An unpolished archive of vulnerability PoCs with questionable execution and market fit.
AI roast score: 55/100 (D)
The idea
bikini/exploitarium — A single archive of public exploit PoCs and vulnerability research writeups. At the time I post these, none have been reported. Feel free to report them yourself and take credit for the CVE if handed out lulz. Please do not abuse these. I do this so to allur
Statement
This repo was incomplete when published. That's why some findings are kinda ass (ghidra) and some are better. Going forward, only serious vulnerabilities will be shared (Floci, libssh2, FFmpeg, c-ares).
In regard to AI usage, my fuzzing workflow was automated by AI with a strict harness. I used GPT-5.5-3-Codex-Spark for ALL the fuzzing, as barely any "thought" is necessary when provided with an efficient harness. Contrary to the growing narrative that I'm just some random child burning tokens, I DO actually have a degree in the subject and have published multiple papers on fuzzing methodology. I spent years researching and developing new tools and ideas for how to fuzz. You do NOT need a SOTA model to help you identify these issues, I promise! While being able to afford a better model is helpful, my data seems to show that it is only marginal when paired with decent human oversight and a good harness. None of the actual PoCs themselves were vibe-coded; I did, in fact, hand-type them. I did use AI assistance for RustDesk, however, as I'm not as familiar with the language. The README files are very clearly entirely AI, however, as AI can format a pretty mean Markdown file. I reviewed them to make sure they were accurate.
I'd also like to credit someone for the objdump finding. It turns out, someone beat me to the punch (they also have a better PoC too!). Please give them the credit they deserve:
https://github.com/4D4J/objdump-Out-Of-Bounds-write
News/Contact
New drops today ;) Biggest thing yet (DELAYED, I PROMISE THE WAIT WILL BE WORTH IT! After this, you guys will usually get one new PoC a day)
I've also noticed a surprising amount of "security researchers" aren't able to adjust the PoC to work in their environment. I will broaden the PoCs for those select few...
If you wish to collaborate/discuss with me, contact me on discord @ashdfrkl
Sharing this repo keeps me motivated to continue dropping my findings for you all.
Exploitarium
A consolidated archive of my public proof-of-concept and vulnerability research writeups.
Most folders contain one of my former standalone PoC repos, preserved with its original README and tracked files. New research entries are added directly here as self-contained folders.
Contents
Folder
Source
Tracked entries
7zip-rar5-motw-chain-poc
bd9533f532c1e4ee6af783b9bb49d1133c600e2c
3
anydesk-printer-com-impersonation-poc
7491303301093b2d40bee9dadf6b38f757ce78e0
4
c-ares-tcp-uaf-cal
The roast
Your idea of sharing vulnerability PoCs for free while expecting to build a community and generate subscription revenue is flawed. If the best you can do is 'kinda ass' (your words), why would anyone pay for it? The market for vulnerability research is already competitive, and your approach lacks a clear business model and differentiation.
Your reliance on AI for fuzzing and markdown formatting doesn't solve the core issue: a lack of compelling, unique value. If researchers can't even adjust your PoCs to their environment, your product's utility is fundamentally compromised. Plus, operating as a solo founder without funding in a domain that demands trust and collaboration is a precarious position.
Launching a 'repo of findings' and expecting people to pay while you give away the credit and the most valuable parts (the CVEs) is not just naive but unsustainable. Your biggest unknown, 'will_pay,' is a glaring red flag—don't expect to build a paying audience on incomplete or subpar content.
Red flags
- Your PoCs are incomplete and inconsistent in quality.
- Unclear monetization strategy for a niche yet competitive market.
- Solo founder without funding in a trust-centric domain.
Verdict
A poorly thought-out vulnerability repository with no clear value proposition or monetization strategy is doomed to fail.
Roast your own startup idea →