Web developer & security researcher.
Hi, my name is Ed. I am a web designer, developer, security researcher, and have experience triaging for numerous security programs. In my spare time I like swimming, playing the guitar, photography, and cinematography. I am the author of the security.txt, The Security Policy Specification Standard Internet drafts, and Bug Bounty Guide. I am currently studying computer science at the ETH Zürich and work for HackerOne as a security analyst.
An analysis of logic flaws in web-of-trust services. Feb 13, 2018
Web-of-trust services (WOT) such as Keybase, Onename, and Blockstack promise to verify individuals' identities on the web. Since many applications on the web are not consistent this often leads to unintended behaviour and therefore security vulnerabilities in web-of-trust services.
This is a technical write-up and proposition on some research conducted by Tom Hudson and EdOverflow to develop a formula that calculates the bounty amount efficiently and transparently. This write-up also highlights the potential benefits of using this formula in the bug bounty industry.
Operation FGTNY 🗽 - Solving the H1-212 CTF. Nov 19, 2017
Solving the "H1-212" CTF by HackerOne.
Bypassing Server-Side Request Forgery filters by abusing a bug in Ruby's native resolver. Nov 9, 2017
I discovered a bug in Resolv::getaddresses that has direct security implications on any Ruby-based application or gem that relies on it for anything security related.
The following is a lightweight reconnaissance setup that should help you quickly gather information on a given target. We will run through the basic installation steps and then take a look at how to use this setup while hunting.
This post aims to give you a basic overview of the different issues that could possibly arise if a target links to an expired endpoint.
On-platform GitHub Reconnaissance Aug 31, 2017
My basic workflow when using GitHub for recon purposes.
My solutions to the "reversing the passwords" CTF by Jobert.
GitHub for Bug Bounty Hunters Aug 8, 2017
My tips for finding security issues in GitHub projects.
Bug Bounty FAQ Jul 22, 2017
A list of questions that bug bounty hunters frequently DM me about. 😄