Summary It's possible in Copilot to bypass any billing / 'premium request' usage by taking advantage of: Subagents and tool calls not consuming any 'requests'. Request cost being calculated on the initial model used. "Free" models incl. ...

Hacker News is a community-driven platform for sharing and discussing technology news, startups, and programming-related topics. Through user submissions and comments, Hacker News offers insights into emerging technology trends, industry developments, and entrepreneurial ventures. Readers can participate in discussions, share their insights, and stay informed about the latest advancements in technology and innovation.

Hacker News

A security vulnerability in GitHub Copilot allows users to bypass billing for premium AI models by exploiting how subagents and tool calls are metered. By starting with a free model like GPT-5 Mini and using it to launch subagents with premium models like Claude Opus 4.5, users can access expensive models without consuming premium request credits. The issue was initially reported to Microsoft Security Response Center but was redirected to be filed as a public bug report, despite including detailed exploitation instructions.

Billing can be bypassed using a combination of subagents with an agent definition, resulting in unlimited free premium requests. · Issue #292452 · microsoft