Ben Zimmermann

Security Researcher

Hey, I'm Ben. I'm a security researcher from California. I've been awarded over $20,000 in bug bounties for securing critical infrastructure and the open web.

GitHubLinkedInEmail

Security Research

I specialize in identifying critical failures in large-scale systems. Here are some of my most significant disclosures.

Nov 2025

GitHubCritical Infrastructure Access

$20,000

Discovered a leaked OAuth token granting write access to the 'github/github' repository and 74,000+ other private repositories. Provided administrative control over core production codebase.

Nov 2025

TripAdvisorSensitive Data Exposure

$1,500

Identified a publicly exposed employee token with 'repo' and 'workflow' scopes. Allowed unauthorized access to source code, internal build pipelines, and infrastructure.

Oct 2025

Vue.jsAdmin API Key Exposure

Hall of Fame

Found a leaked Algolia Admin API key with full write access to the official documentation search index. Acknowledged in the Vue.js Security Hall of Fame.

Sep 2025

Chrome ExtensionsAI Auth Bypass

Resolved

Reverse-engineered popular AI extensions to bypass client-side authentication, allowing unlimited free access to premium LLM APIs (GPT-5, Claude 4.5) for 100k+ users.

Tech Stack

The languages and tools I use to uncover vulnerabilities.

Automation & Scripting

Building custom scanners and automation tooling

Python
Python
Bash
Bash
C++
C++

Security Operations

Network analysis, interception, and reverse engineering

Burp Suite
Burp Suite
Wireshark
Wireshark

Platforms

Where I deploy code and engage with the community

Discord
Discord
GitHub
GitHub

Projects

Open source tools and scanners I've built to automate the hunt.

EasyApex

Open Source

Automated Chrome extension for solving Apex Learning quizzes using Vision AI. Handles text, images, and drag-and-drop questions with human-like delays.

#TypeScript#React#Vision AI

CodePen Scraper

Private

High-performance GraphQL harvester that enumerated 600k+ users and 8M+ pens for secret scanning. Features concurrent workers, proxy rotation, and SQLite state tracking.

#Python#GraphQL#SQLite