all work
#creative2025–2026· Independent Security Researcher

Security Research & Bug Bounty

External black-box security research and bug-bounty engagements — recent work includes 14 verified findings on omnisee.io and an active Zendesk Managed engagement on Bugcrowd.

Modern web and AI products ship faster than their security review can keep up. Public bounty engagements need structured findings — clear severity, reproducers, evidence, and remediation guidance — not vague write-ups. The brief on each engagement is to find, verify, and document issues that survive triage.

  • AppSec
  • AI Security
  • OWASP
  • Bug Bounty
  • Recon
security-research

What I owned

End-to-end engagement work: recon, targeted testing, verification, structured reporting with reproducers and screenshots, severity classification per VRT (Bugcrowd Vulnerability Rating Taxonomy), and remediation recommendations. Recent finding categories: missing rate limits enabling LLM-token financial DoS, public exposure of FastAPI auto-docs (/openapi.json, /docs, /redoc), legacy TLS acceptance, information disclosure through health endpoints, body-size and parameter validation gaps, and prompt-injection / RAG-poisoning surfaces on Zendesk AI agents.

Constraints

  • Black-box external testing only — no source-code access
  • Strict scope adherence per engagement brief
  • Safe-harbor compliance (CFAA, DMCA, ToS)
  • Disclosure rules vary per program (some allow write-ups, some do not)

Process

  1. 01

    Recon

    Surface mapping via DNS, certificate, and HTTP/TLS reconnaissance. Endpoint enumeration via documentation surfaces and intelligent fuzzing within scope.

  2. 02

    Targeted testing

    Per-finding test plan with reproducers. Each finding verified independently before submission.

  3. 03

    Evidence capture

    Reproducer commands, response samples, and annotated screenshots for every finding.

  4. 04

    Structured reporting

    VRT severity, impact statement, reproducer, evidence, and recommended fix per finding. Markdown + DOCX delivery.

  5. 05

    Triage handoff

    Clear, scoped submissions designed to pass triage on first review.

Approach

Bug bounty work pays for clarity, not volume. A clean report with one critical and three majors out-converts a flood of duplicates and informational notes. The discipline is in scope adherence, reproducer quality, and writing impact statements that the triage engineer can act on without a follow-up email.

Deliverables

  • Round 2 submission on omnisee.io: 14 findings (1 critical, 4 major, 9 minor) with reproducers and screenshots
  • Active Zendesk Managed engagement on Bugcrowd targeting AI agents, Copilot, and App Builder
  • Markdown + DOCX report formats per engagement preference
  • Reproducer scripts for every finding
  • Severity-classified, VRT-aligned reporting
  • Remediation guidance for every finding

Outcomes

  • 14 verified, independently reproducible findings on a single target in one engagement round
  • Critical-severity finding (LLM-token financial DoS) with full reproducer and impact statement
  • Active Zendesk Managed engagement on a premium-rated scope ($5,000–$50,000 P1)
  • Reports designed to clear triage cleanly — structured severity, evidence, and fix guidance

What it feels like

Reports are designed to survive a fast triage read: severity at the top, reproducer in three lines, impact in one sentence, fix in two.

Have a project that calls for this kind of work?

Start a project