I work on offensive security with a focus on vulnerability research, exploitability validation, and practical remediation.
My work is centered on one question:
As an attacker, what can I actually do — and how do we prove it safely?
I care about impact, not noise. A good finding is reproducible, scoped, clearly explained, and useful to the engineers who need to fix it.
> Web application vulnerability research
> OAuth / callback / session binding flaws
> CSRF and local-app request forgery
> Cloud IAM and workload identity abuse
> CI/CD, GitHub Actions, and supply-chain attack paths
> AI developer tooling security and agent-assisted review workflows
> Bug bounty triage discipline: impact, exploitability, reproducibility
|
Auth bypass, IDOR, access-control failures, XSS with real impact, CSRF, request smuggling, SSRF, file upload abuse, and business-logic flaws. |
OAuth/OIDC edge cases, token exchange, metadata pivots, IAM misconfiguration chains, workload identity boundaries, and secret exposure paths. |
|
Dependency confusion, package trust, CI runner isolation, artifact poisoning, build cache leaks, and GitHub Actions hardening. |
Safe PoCs, controlled test environments, fake backends, local reproduction, scanner triage, and evidence that survives security review. |
Languages
Infra & Platforms
Security Workflow
1. Scope first
I keep testing inside explicit authorization and defined boundaries.
2. Reproduce before reporting
I separate scanner output from exploitable behavior.
3. Prove impact safely
I prefer controlled PoCs, local fake services, and non-destructive payloads.
4. Write for engineers
Reports include affected paths, attack preconditions, reproduction steps,
impact, and practical remediation.
5. Reduce noise
If it cannot answer "as an attacker I could...", it is not ready.
🎯 Bug bounty / disclosure workflow
Recon -> scope check -> candidate finding -> exploitability validation
-> impact calibration -> report drafting -> triage response
-> remediation notes -> retest if requested
🔍 Repository security review workflow
Threat model -> source/sink mapping -> auth boundary review
-> local dynamic validation -> scanner triage
-> minimal PoC -> report-ready evidence
🧠 Current research notes
Local developer tooling:
- localhost service trust boundaries
- CSRF against local management UIs
- token forwarding from local apps to cloud APIs
Identity flows:
- missing state/nonce binding
- account/session fixation
- callback trust and redirect handling
AI security:
- AI connector trust boundaries
- review payload exposure
- agent workflow abuse
The best way to reach me is email:
m2hczs@proton.me
For security reports, include scope, affected asset, reproduction steps, impact, and remediation context.
