I specialize in identifying critical failures in large-scale systems. Here are some of my most significant disclosures.
Acknowledged by Red Hat Security. Discovered a leaked SSH private key granting write access to eclipse-che/che, the upstream repository for Red Hat OpenShift Dev Spaces.
Featured in TechCrunch. A leaked GitHub token granted access to hundreds of private repositories, cloud infrastructure, and order fulfillment systems.
Discovered a leaked OAuth token granting write access to 'github/github' and 74,000+ private repositories.
Identified a publicly exposed employee token with 'repo' and 'workflow' scopes, allowing access to source code and build pipelines.
Acknowledged in the Vue.js Security Hall of Fame. Found a leaked Algolia Admin API key with write access to the official documentation search index.
Reverse-engineered popular AI extensions to bypass client-side authentication, enabling free access to premium LLM APIs.
Discovered publicly exposed credentials that could compromise development infrastructure.
Identified misconfigurations that could lead to unauthorized access to user data.
Featured in NPR. Discovered a Google Family Link security bypass at age 9, marking the beginning of my security research journey.
The languages and tools I use to uncover vulnerabilities.
Building custom scanners and automation tooling
Network analysis, interception, and reverse engineering
Where I deploy code and engage with the community
Open source tools and scanners I've built to automate the hunt.