This repository is a collection of my independent security research, vulnerability findings, and bug bounty writeups. I focus on infrastructure-level flaws, information disclosure chains, and systemic misconfigurations in enterprise environments. My methodology is built around thinking like a motivated adversary rather than a compliance checklist - because that's who organizations actually need to defend against.
Most of the findings in this repo were identified using Foxhunt, my custom stateful reconnaissance pipeline. It handles the unglamorous parts of recon - persistence, scope validation, checkpoint resume, and data deduplication - so I can focus on the part that actually matters.
- Logic-driven: Built-in detection for internal IP leaks, high-value service identification, and secret pattern matching across JS bundles
- Resilient: Session-based with checkpoint resume and clean interrupt handling - a 25-stage scan that dies at stage 23 picks back up where it left off
- Clean data: Automatically bifurcates public and private infrastructure to reduce noise and keep findings high-signal
- Hybrid model: Automation finds the haystack. Manual analysis finds the needle. Both matter.
Each writeup is sanitized to protect the organizations involved while maintaining full technical transparency. Findings are linked below with severity, vulnerability class, and triage outcome.
| # | Title | Severity | Class | Triage |
|---|---|---|---|---|
| 01 | Hardcoded API Key Exposure: Third-Party Geolocation Service | Low | CWE-798 | Duplicate |
| 02 | Unauthenticated Protobuf API Schema Disclosure | Medium | CWE-200 | Duplicate |
| 03 | Unauthenticated Firebase Realtime Database Read: Spatial Telemetry Extraction | Low | CWE-284 | Duplicate |
| 04 | Production Telemetry Injection and Infrastructure Mapping via Exposed Config | Low | CWE-212 | N/A (Contested) |
| 05 | Internal Network Topology Disclosure via Public DNS | Low | CWE-200 | Duplicate |
| 06 | Unauthenticated Swagger UI Exposure: Internal Employee Portal API | Medium | CWE-212 | Duplicate |
| 07 | Public Dotfiles Expose Authentication Blueprint and Agentic AI Supply Chain Risk | High | CWE-200 / CWE-312 | Duplicate |
Full engagement reports cover extended testing windows against a single target, consolidating multiple findings into a single structured document with cross-cutting analysis and remediation prioritization.
| Engagement | Findings | Severity Range | Status |
|---|
My research follows a consistent pipeline designed to keep findings high-signal and impact well-documented.
1. Passive Aggregation: Deep recon across DNS records, client-side JS bundles, certificate transparency logs, and public metadata to map the external attack surface before touching anything.
2. Logic Filtering: Automation flags anomalies - internal IP disclosures, suspicious response behaviors, secret patterns in assets, misconfigured edge proxies. Foxhunt handles most of this automatically.
3. Exploit Pathing: The creative phase. Once an anomaly is flagged, I map potential chains. Does the leak enable SSRF? Does the exposed key grant data access? Does the schema reduce the cost of a targeted attack? Impact matters more than the finding itself.
4. Active Validation: Every finding gets a manual, controlled proof-of-concept before a single word of the report is written. If I can't show it works, I don't report it.
5. Responsible Disclosure: All findings go through official channels. Writeups are sanitized to protect organizational and personal identifiers while preserving full technical detail for the research community.
A recurring theme across these findings is that information disclosure gets systematically undertriaged. The standard reasoning is "there's no direct exploit path" - but that framing assumes the attacker is opportunistic and automated. A motivated, patient adversary treats an information disclosure as a force multiplier: it reduces reconnaissance cost, enables surgical targeting, and most dangerously, removes the noisy discovery phase where defenders are most likely to catch them.
I write about this more in the thoughts section.
You'll notice I pass 8.8.8.8 as the resolver in a lot of my DNS commands. I run Tailscale and it absolutely mangles CLI DNS queries for reasons I've never fully debugged. I could fix it properly but honestly it's easier to just specify Google's resolver where the tool accepts it. Foxhunt has configurable DNS for exactly this reason.
This repository is for educational and authorized security testing purposes only. All findings were identified on properly scoped targets and disclosed through official channels. I do not condone or support unauthorized access to any systems.