I am a highly skilled cybersecurity professional specializing in white-hat hacking and serving as a principal security consultant. My expertise extends to both software development and application security engineering, which allows me to offer comprehensive and effective security solutions.

In 2014, I embarked on my journey in bug bounty programs, where I demonstrated exceptional proficiency. Through my dedication and talent, I earned a place among the top 20 hackers of all time on HackerOne. With a remarkable track record, I responsibly disclosed over 750 security vulnerabilities to numerous renowned organizations, including Google, Yahoo, Twitter, Facebook, and Uber, among others.

I began contributing technical content on various cybersecurity topics to the Infosec Institute magazine in 2016. This allowed me to disseminate valuable insights and best practices to a wider audience.

In 2017, I joined HackerOne as a security analyst to assist with bug bounty programs management and triage for different renowned organizations such as the US Air Force, Yahoo, Adobe, Salesforce, and others. In this position, I fostered close collaboration with an extensive community of security researchers, ensuring effective triage and coordination.

In 2018, my team won 1st place in HackenCup live hacking competition organized by HackenProof in Kiev, Ukraine. Additionally, I secured 3rd place in the H1-4420 live hacking event organized by HackerOne in London, UK.

Expanding my horizons, I began offering contract services in 2020, specializing in security consulting. My expertise includes penetration testing, security assessments, code reviews, and training across diverse industries. This allowed me to deliver comprehensive security solutions tailored to the unique needs of each organization.

In 2022, I became a part of HackerOne’s pentest program and achieved certification as a Bugcrowd Certified Penetration Tester (CPT). I also claimed 1st place and was honored with the title of Most Valuable Hacker (MVH) at HackerOne’s H1-303 live hacking competition held in Denver, CO.

Building on my expertise and reputation, I joined HackerOne’s Hacker Advisory Board (HAB) for the 2023-2025 term. In this capacity, I contribute my insights and expertise as a security researcher on the platform to represent the hacker community and incorporate their feedback into the products, services and key offerings of HackerOne.

I am honored to have been invited as a keynote speaker at prestigious events such as BSides Ahmedabad 0x03, BSides Amman 2019 and BSides Pristhina 2023. Additionally, I actively serve as a member of the CFP review board for BSides Ahmedabad. I have spoken at various international conferences such as BSides Belfast, OWASP Seasides in Goa, NahamCon Europ, and the International Cybersecurity Conference in Kosovo.

My academic achievements include holding two master’s degrees: a master’s degree in the management of information systems from the prestigious IÉSEG School of Management and a second master’s degree in corporate finance from ISCAE business school which further enhances my interdisciplinary knowledge and skills.

Security Research

  • 2014-09-04, Sagem Fast 3304-V2, “Sagem Fast ADSL Router is vulnerable to an authentification bypass vulnerability which allows to modify the preconfigured root password.”

  • 2015-12-22, SeaMonkey browser, “Cross-site scripting (XSS) vulnerability due to unvalidated image src attribute pointing to a javascript: URL.”

  • CVE-2015-7580, Ruby On Rails, “Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x.”

  • CVE-2015-8474, Redmine, “Open redirect vulnerability in the valid_back_url function in app/controllers/application_controller.rb in Redmine before 2.6.7, 3.0.x before 3.0.5, and 3.1.x before 3.1.1”

  • CVE-2016-5832, Wordpress, “The customizer in WordPress before 4.5.3 allows remote attackers to bypass intended redirection restrictions via unspecified vectors.”

  • CVE-2020-26210, BookStack, “A user with permissions to edit a page could add an attached link which would execute untrusted JavaScript code when clicked by a viewer of the page.”

Projects & Contributions

  • Sublert: a security and reconnaissance tool which leverages certificate transparency to automatically monitor new subdomains deployed by specific organizations and issued TLS/SSL certificate.
  • ASNLookup.com: an API-based SaaS to quickly lookup updated information about specific ASN, Organization or registered IP addresses (IPv4 and IPv6) among other relevant data.
  • Cisco ASA: a script to test for Cisco ASA path traversal vulnerability (CVE-2018-0296) and extract system information.

Conferences & talks

Media & Interviews