EdOverflow
Hi 👋
I am a web designer, developer, security researcher, and have experience triaging for numerous vulnerability disclosure programs. In my spare time, I enjoy swimming, photography, cinematography, and playing the guitar.
In 2017, I published an Internet Draft for a proposed standard which allows websites to define security policies called security.txt. A year later, I created Bug Bounty Guide, a launchpad for bug bounty programs and bug bounty hunters.

Publications
- A File Format to Aid in Security Vulnerability Disclosure (security.txt) IETF Edwin Foudil and Yakov Shafranovich (April 2019)
- A guide to subdomain takeovers HackerOne EdOverflow (August 2018)
- On escalating your bug bounty findings Paged Out! Edwin “EdOverflow” Foudil and T.-C. “Filedescriptor” Hong (August 2019)
Blog posts
- 31 December 2020: The Story of the Million Dollar Bounty
- 26 April 2019: “CI Knew There Would Be Bugs Here” — Exploring Continuous Integration Services as a Bug Bounty Hunter
- 15 July 2018: The poor man's bug bounty monitoring setup
- 13 April 2018: Automating your reconnaissance workflow with 'meg'
- 13 February 2018: An analysis of logic flaws in web-of-trust services.
- 29 November 2017: The math behind bug bounties — A formula to calculate bounty amounts.
- 19 November 2017: Operation FGTNY 🗽 - Solving the H1-212 CTF.
- 09 November 2017: Bypassing Server-Side Request Forgery filters by abusing a bug in Ruby's native resolver.
- 29 October 2017: A lightweight reconnaissance setup for bug bounty hunters
- 03 September 2017: Broken Link Hijacking - How expired links can be exploited.
- 31 August 2017: On-platform GitHub Reconnaissance
- 09 August 2017: Capture the flag: reversing the passwords (Solutions)
- 08 August 2017: GitHub for Bug Bounty Hunters
- 22 July 2017: Bug Bounty FAQ
Bookshelf 📖
Here is a list of books that I would highly recommend. Please feel free to reach out if you happen to have any recommendations.
Information security and bug bounty
- Real-World Bug Hunting: A Field Guide to Web Hacking by Peter Yaworski
- The Linux Programming Interface: A Linux and UNIX System Programming Handbook by Michael Kerrisk
- The Tangled Web: A Guide to Securing Modern Web Applications by Michal Zalewski
- Crypto 101 by Laurens Van Houtven
Programming
- Learn Python 3 the Hard Way: A Very Simple Introduction to the Terrifyingly Beautiful World of Computers and Code by Zed Shaw
- Learn More Python 3 the Hard Way: The Next Step for New Python Programmers by Zed Shaw
- Automate the Boring Stuff with Python: Practical Programming for Total Beginners by Al Sweigart
History
- Enigma: The Battle for the Code by Hugh Sebag-Montefiore
Other
- Don’t Sweat the Small Stuff … and It’s All Small Stuff: Simple Ways to Keep the Little Things from Taking Over Your Life by Richard Carlson
- The Old Man and The Sea by Ernest Hemingway
- Die Verwandlung (The Metamorphosis) by Franz Kafka
- Can’t Hurt Me: Master Your Mind and Defy the Odds by David Goggins
- How to Become a Straight-A Student: The Unconventional Strategies Real College Students Use to Score High While Studying Less by Cal Newport
- Why We Sleep by Matthew Walker
- Digital Minimalism: Choosing a Focused Life in a Noisy World by Cal Newport
Get to know me better
Over the years I have given a couple of interviews and made press appearances to comment on random security topics. Aside from my blog posts, I find these resources some of the best ways to get to know me better and hear my thoughts on various topics.
Press appearances
- TechCrunch: Parallels’ KeyGenie lets you play for a free product key, but you can’t ever win HTML (August 2019)
- Bloomberg: Uber Hack Shows Vulnerability of Software Code-Sharing Services HTML (November 2017)
- ZDNet: GitLab fixes security issue that let anyone hijack custom domains (February 2018)
- Security Intelligence (IBM): The Telltale Text File: Security Researcher Proposes Standardization for Reporting Vulnerabilities (September 2017)
- The Register: Bug-finders’ scheme: Tick-tock, this tech’s tested by flaws.. but who the heck do you tell? (January 2018)
- Threatpost: Microsoft Bounty Program Offers Payouts for Identity Service Bugs (July 2018)
- Threatpost: Navigating an Uncharted Future, Bug Bounty Hunters Seek Safe Harbors (July 2018)
- Threatpost: Facebook Now Offers Bounties For Access Token Exposure (September 2018)
Interviews
- HackerOne: Hacker Q&A With EdOverflow (December 2017)
- Intigriti: Bug Business #1: Inside Logic Flaws with EdOverflow
- Detectify: Meet the Hacker: EdOverflow, motivated by community and knowledge sharing (March 2019)
- Yes We Hack: Interview of EdOverFlow : Bug Hunter & mastermind of security.txt
- Bug Bounty Forum: AMA with @edoverflow (March 2018)
Email • Twitter • Buy Me A Coffee ☕ • RSS