Public bounty program·Critical
Account Takeover via OAuth State Replay
Replayed a leaked state parameter to bind an attacker code to a victim session. Required a nuanced understanding of the program's identity stack.
$ ls -la ./findings
Portfolio & Findings
Selected acknowledgements, public CVEs, and writeups. Many engagements are under NDA — what's listed here is everything publicly disclosable.
Acknowledgements
Hall of Fame
Programs that have publicly thanked me for responsibly disclosed findings.
Google
Microsoft
Apple
Meta
Shopify
GitLab
Atlassian
PayPal
Yahoo
Cloudflare
// Replace with real vendor names + thanks-page URLs.
Public Disclosures
Assigned CVEs
Coordinated vulnerability disclosures with assigned CVE identifiers.
| CVE | Product | Severity |
|---|---|---|
| CVE-202X-XXXXX | Vendor Product A | High |
| CVE-202X-XXXXX | Open-Source Library B | Medium |
| CVE-202X-XXXXX | SaaS Platform C | Critical |
Highlights
Featured Findings
A handful of bugs that taught me something new about how systems break.
Private engagement·High
GraphQL Mass Assignment in Tenant Admin
An undocumented mutation accepted role fields silently dropped at the schema layer — but persisted at the resolver. Full role escalation.
Public bounty program·Critical
SSRF → IMDS → Cloud Account Pivot
Chained a thumbnail-render SSRF into IMDSv1 access and ultimately read short-lived credentials. Reported and patched within 48 hours.