The first ten minutes on a new JavaScript bundle
Opening a stranger's bundled JavaScript for the first time. What I grep for, in what order and why. A practical follow-up to why you should not skip JS files at all.
Read more →
Blog
Insights & Research
Offensive security insights, bug bounty tips and things I've learned along the way.
All15bug bounty12web security6recon4CVE4pentesting4mindset3WordPress2cybersecurity2career2SQLi2red team1SSRF1malware1RCE1
Finding CVEs in WordPress: CVE-2025-4392, stored XSS in Shared Files
CVE-2025-4392 was an unauthenticated stored XSS in the Shared Files plugin. A sanitizer that only ran for SVGs and silently passed everything else through. How the gate made the function's name a lie, and a checklist to grep your own plugin source for the same pattern.
Read more →
Finding CVEs in WordPress: CVE-2025-3769, IDOR in LatePoint
A walkthrough of CVE-2025-3769, an IDOR in the LatePoint plugin that exposed customer data from about 100K WordPress sites. How I found it, the code-review pattern behind it and a checklist for auditing WordPress plugins yourself.
Read more →
CRTO review: a cert that tests if you can actually operate
CRTO is one of the few certs that actually tests if you can operate in an AD environment. Here's my take and some tips if you're preparing.
Read more →
Your scope protects from findings, not from attackers
Attackers don't follow your scope. Limited bug bounty programs protect you from findings while leaving your real attack surface wide open. Here's why wide scopes and recon matter.
Read more →
Go wide before you go deep
The best vulnerabilities aren't on the main domain. Here's why wildcard scopes beat limited ones and how going wide leads to the findings that actually matter.
Read more →
Stop skipping JavaScript files
Running automated scans while ignoring JavaScript files means missing the real gold. Here's how reading JS files led to full admin access on a HackerOne target.
Read more →
Two lines of defense that opened the door to SQL injection
Both lines were written for security. One added protection, the other removed it. How $wpdb->prepare() and stripslashes() combined into a critical SQL injection.
Read more →
Know your audience: translating technical findings into business impact
Technical expertise matters, but if you want your findings fixed, you need to speak your audience's language. Here's how to translate security issues into business decisions.
Read more →
DNS rebinding: turning blocked SSRF into internal access
How a well-timed DNS change can bypass SSRF filters and turn a blocked vulnerability into full internal network access.
Read more →
The hidden cost of CVE scanner convenience
When critical CVEs drop, malicious scanners follow. Here's why you should review the code before running any security tool from GitHub.
Read more →
The uppercase letter that bypassed authorization
Sometimes a single case change in a URL path is enough to bypass 401/403 errors. Here's why this edge case works and when to test for it.
Read more →
The RCE hidden behind a forgotten endpoint
A development endpoint that shouldn't exist led to full remote code execution. Here's how thinking about impact turned one finding into a critical chain.
Read more →
The single quote that leaked database credentials
One character in a URL parameter exposed full database credentials and turned into a $2,000 double critical finding. Here's what happened.
Read more →
What 8 years of bug bounty taught me about burnout
Bug bounty can drain you if you approach it wrong. After 8 years and 1,000+ vulnerabilities, here's what actually matters to avoid burning out.
Read more →