I am a web designer, developer, security researcher, and have experience triaging for numerous vulnerability disclosure programs. In my spare time, I like to go swimming, playing the guitar, photography, and cinematography.
In 2017, I published an Internet draft for a proposed standard which allows websites to define security policies called security.txt. A year later, I created Bug Bounty Guide, a launchpad for bug bounty programs and bug bounty hunters.
security.txt - https://tools.ietf.org/html/draft-foudil-securitytxt
A guide to subdomain takeovers - https://www.hackerone.com/blog/Guide-Subdomain-Takeovers
The poor man’s bug bounty monitoring setup - https://edoverflow.com/2018/the-poor-mans-monitoring-setup/
Automating your reconnaissance workflow with ‘meg’ - https://edoverflow.com/2018/meg/
An analysis of logic flaws in web-of-trust services. - https://edoverflow.com/2018/logic-flaws-in-wot-services/
The math behind bug bounties — A formula to calculate bounty amounts. - https://edoverflow.com/2017/the-math-behind-bug-bounties/
Operation FGTNY 🗽 - Solving the H1-212 CTF. - https://edoverflow.com/2017/h1-212-ctf/
Bypassing Server-Side Request Forgery filters by abusing a bug in Ruby’s native resolver. - https://edoverflow.com/2017/ruby-resolv-bug/
A lightweight reconnaissance setup for bug bounty hunters - https://edoverflow.com/2017/lightweight-reconnaissance-setup/
Broken Link Hijacking - How expired links can be exploited. - https://edoverflow.com/2017/broken-link-hijacking/
On-platform GitHub Reconnaissance - https://edoverflow.com/2017/github-recon/
Capture the flag: reversing the passwords (Solutions) - https://edoverflow.com/2017/ctf-reversing-the-passwords/
GitHub for Bug Bounty Hunters - https://edoverflow.com/2017/github-for-bugbountyhunters/
Bug Bounty FAQ - https://edoverflow.com/2017/bugbounty-faq/
How to get the best out of your bug bounty program (Disobey 2017) - https://youtu.be/PdmWQib1P9w
security.txt (IETF 101 SECDISPATCH) - https://youtu.be/rZifKDBKtMM?t=5m41s
Uber Hack Shows Vulnerability of Software Code-Sharing Services (Bloomberg) - https://www.bloomberg.com/news/articles/2017-11-22/uber-hack-shows-vulnerability-of-software-code-sharing-services
GitLab fixes security issue that let anyone hijack custom domains (ZDNet) - https://www.zdnet.com/article/gitlab-fixes-security-issue-that-could-hijack-custom-domains/
The Telltale Text File: Security Researcher Proposes Standardization for Reporting Vulnerabilities (Security Intelligence (IBM)) - https://securityintelligence.com/news/the-telltale-text-file-security-researcher-proposes-standardization-for-reporting-vulnerabilities/
Bug-finders’ scheme: Tick-tock, this tech’s tested by flaws.. but who the heck do you tell? (The Register) - https://www.theregister.co.uk/2018/01/03/security_notification_scheme/
Microsoft Bounty Program Offers Payouts for Identity Service Bugs (Threatpost) - https://threatpost.com/microsoft-bounty-program-offers-payouts-for-identity-service-bugs/134084/
Navigating an Uncharted Future, Bug Bounty Hunters Seek Safe Harbors (Threatpost) - https://threatpost.com/navigating-an-uncharted-future-bug-bounty-hunters-seek-safe-harbors/133202/
Facebook Now Offers Bounties For Access Token Exposure (Threatpost) - https://threatpost.com/facebook-now-offers-bounties-for-access-token-exposure/137477/
private_address_check bypass due to use of Ruby’s Resolv.getaddresses method (CVE-2017-0904) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0904
private_address_check bypass due to an incomplete blacklist (CVE-2017-0909) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-0909
Finished 3rd once in a swimming race against 2 other swimmers.
Email - [email protected]
PGP - https://edoverflow.com/key.asc
GitHub - https://github.com/EdOverflow/
Twitter - https://twitter.com/EdOverflow