I specialize in identifying critical failures in large-scale systems. Here are some of my most significant disclosures.
Featured in TechCrunch. A leaked GitHub token granted access to hundreds of private repositories, cloud infrastructure, and order fulfillment systems.
Discovered a leaked OAuth token granting write access to 'github/github' and 74,000+ private repositories.
Identified a publicly exposed employee token with 'repo' and 'workflow' scopes, allowing access to source code and build pipelines.
Acknowledged in the Vue.js Security Hall of Fame. Found a leaked Algolia Admin API key with write access to the official documentation search index.
The languages and tools I use to uncover vulnerabilities.
Building custom scanners and automation tooling
Network analysis, interception, and reverse engineering
Where I deploy code and engage with the community
Open source tools and scanners I've built to automate the hunt.
High-performance GraphQL harvester that enumerated 600k+ users and 8M+ pens for secret scanning. Features concurrent workers, proxy rotation, and SQLite state tracking.