Over the last year I’ve taken a step away from my usual bug bounty work to focus more on building resync — my continuous reconnaissance platform. …

In continuation of the philosophical and foundational nature of the book thus far, Chapter 3 opens with a discussion on kinds of numbers, our reliance on the appearance of some of them in nature and how that fueled their original derivation, and how we can rederive them without ties to…

This week wasn’t about me. I and millions of others were focused on the murder of George Floyd. Black Lives Matter. My progress will resume in the next update.

I love watching educational Youtube channels. It’s a great way to constantly keep myself exposed to science and technology. And this is nothing new: I’ve always been engrossed with STEM. Even at a young age, I was sure that I would become a scientist or an engineer, destined to discover…

It’s been over a year and a half since I’ve started my bug bounty journey as a hacker. With years of experience triaging reports and working in security, I’ve seen a plethora of bug types, attack vectors, and exploitation techniques. …

Three weeks ago I saw a blog post by fellow bug hunter, Jack Cable. The post both inspired and challenged me. The attack vector presented was focused more on reduction in computational security than a binary outcome (e.g. XSS, which either fires or it doesn’t). Jack’s article presents a theoretical…

This is a story about how I (re)discovered an exploitation technique and took a bug with fairly limited impact to a 5 digit bounty by bypassing existing mitigations. A Curious Case of HTML Injection André Baptista and Cache-Money were working on a very strange bug. It started off as a simple character-set bypass and through a…

If you’re not aware, I joined Dropbox’s security team last September. Since then, I’ve become very involved in the bug bounty community on two fronts: both running a program and as a hacker in my spare time. …

Today’s topic is something that’s already pretty well covered: CSS injections. I wanted to talk about my experience implementing this attack on a real site. As you may have encountered, the situation in which you find a vulnerability may not be the pristine situation many vulnerabilities are originally described in…