EdOverflow

Hi 👋

I am a web designer, developer, security researcher, and have experience triaging for numerous vulnerability disclosure programs. In my spare time, I enjoy swimming, photography, cinematography, and playing the guitar.

In 2017, I published an Internet Draft for a proposed standard which allows websites to define security policies called security.txt. A year later, I created Bug Bounty Guide, a launchpad for bug bounty programs and bug bounty hunters.

Publications

• A File Format to Aid in Security Vulnerability Disclosure (security.txt) IETF Edwin Foudil and Yakov Shafranovich (April 2019)
• A guide to subdomain takeovers HackerOne EdOverflow (August 2018)
• On escalating your bug bounty findings Paged Out! Edwin “EdOverflow” Foudil and T.-C. “Filedescriptor” Hong (August 2019)

Blog posts

• 26 April 2019: “CI Knew There Would Be Bugs Here” — Exploring Continuous Integration Services as a Bug Bounty Hunter
• 15 July 2018: The poor man's bug bounty monitoring setup
• 13 April 2018: Automating your reconnaissance workflow with 'meg'
• 13 February 2018: An analysis of logic flaws in web-of-trust services.
• 29 November 2017: The math behind bug bounties — A formula to calculate bounty amounts.
• 19 November 2017: Operation FGTNY 🗽 - Solving the H1-212 CTF.
• 09 November 2017: Bypassing Server-Side Request Forgery filters by abusing a bug in Ruby's native resolver.
• 29 October 2017: A lightweight reconnaissance setup for bug bounty hunters
• 03 September 2017: Broken Link Hijacking - How expired links can be exploited.
• 31 August 2017: On-platform GitHub Reconnaissance
• 09 August 2017: Capture the flag: reversing the passwords (Solutions)
• 08 August 2017: GitHub for Bug Bounty Hunters
• 22 July 2017: Bug Bounty FAQ

Bookshelf 📖

Here is a list of books that I would highly recommend. Please feel free to reach out if you happen to have any recommendations.

Information security and bug bounty

• Real-World Bug Hunting: A Field Guide to Web Hacking by Peter Yaworski
• The Linux Programming Interface: A Linux and UNIX System Programming Handbook by Michael Kerrisk
• The Tangled Web: A Guide to Securing Modern Web Applications by Michal Zalewski
• Crypto 101 by Laurens Van Houtven

Programming

• Learn Python 3 the Hard Way: A Very Simple Introduction to the Terrifyingly Beautiful World of Computers and Code by Zed Shaw
• Learn More Python 3 the Hard Way: The Next Step for New Python Programmers by Zed Shaw
• Automate the Boring Stuff with Python: Practical Programming for Total Beginners by Al Sweigart

History

• Enigma: The Battle for the Code by Hugh Sebag-Montefiore

Other

• Don’t Sweat the Small Stuff … and It’s All Small Stuff: Simple Ways to Keep the Little Things from Taking Over Your Life by Richard Carlson
• The Old Man and The Sea by Ernest Hemingway
• Die Verwandlung (The Metamorphosis) by Franz Kafka
• Can’t Hurt Me: Master Your Mind and Defy the Odds by David Goggins
• How to Become a Straight-A Student: The Unconventional Strategies Real College Students Use to Score High While Studying Less by Cal Newport

Get to know me better

Over the years I have given a couple of interviews and made press appearances to comment on random security topics. Aside from my blog posts, I find these resources some of the best ways to get to know me better and hear my thoughts on various topics.

Press appearances

• TechCrunch: Parallels’ KeyGenie lets you play for a free product key, but you can’t ever win HTML (August 2019)
• Bloomberg: Uber Hack Shows Vulnerability of Software Code-Sharing Services HTML (November 2017)
• ZDNet: GitLab fixes security issue that let anyone hijack custom domains (February 2018)
• Security Intelligence (IBM): The Telltale Text File: Security Researcher Proposes Standardization for Reporting Vulnerabilities (September 2017)
• The Register: Bug-finders’ scheme: Tick-tock, this tech’s tested by flaws.. but who the heck do you tell? (January 2018)
• Threatpost: Microsoft Bounty Program Offers Payouts for Identity Service Bugs (July 2018)
• Threatpost: Navigating an Uncharted Future, Bug Bounty Hunters Seek Safe Harbors (July 2018)
• Threatpost: Facebook Now Offers Bounties For Access Token Exposure (September 2018)

Interviews

• HackerOne: Hacker Q&A With EdOverflow (December 2017)
• Intigriti: Bug Business #1: Inside Logic Flaws with EdOverflow
• Detectify: Meet the Hacker: EdOverflow, motivated by community and knowledge sharing (March 2019)
• Yes We Hack: Interview of EdOverFlow : Bug Hunter & mastermind of security.txt
• Bug Bounty Forum: AMA with @edoverflow (March 2018)