Featured Essay · Commentary

It's Your Vendor. It's Your Customer's Data.

How the bug bounty industry's third-party loophole leaves real users exposed.

bug-bounty vendor-risk supply-chain disclosure industry Apr 25, 2026

Recent Posts

All research → All essays →

Research · Web App

Bypassing Input Filters to Land Reflected XSS via URL Encoding

A client-side input filter on a fleet management portal's search function looked solid — until I encoded the payload. A walkthrough of how Google dorking, a filter bypass, and an obscure event handler combined into a confirmed reflected XSS.

Apr 2026 · 5 min read

Research · Mobile

What's Inside the APK: Finding Hardcoded Secrets in Android Apps

Android APKs are zip archives. Everything inside them — including secrets developers assumed were hidden — is one decompile away from being readable. A walkthrough of mobile recon methodology for extracting hardcoded credentials from production apps.

Apr 2026 · 5 min read

Security Researcher & Consultant

Independent security researcher focused on web applications, APIs, and network-exposed services. All research is conducted ethically within authorized bug bounty programs. Read more →