~/security $ whoami

ozz

Hands-on application security — bug bounty findings, API testing, and recon tooling. Ready to contribute from day one.

Application Security API Security Authentication & Session Management Access Control Recon & Automation
about

I'm an application security researcher currently looking for my first role in AppSec or security analysis. Over the past two years I've been learning and doing bug bounty work — mostly web apps and APIs. I've reported real vulnerabilities in production environments: broken access control, SSO issues, and authentication flaws. Nothing massive, but real findings in real systems. I'm comfortable with Burp Suite, manual testing, and writing clear reports. I also built a small recon pipeline (OzzMon) that runs on GitHub Actions to monitor attack surface changes. Still learning. But I test carefully, document thoroughly, and don't report noise.

4
research pieces
Top 200 – HTB Cyber Apocalypse 2025
htb cyber apocalypse
2+
years active
security tooling
OzzMon — Continuous Recon & Attack Surface Monitoring
automation appsec github project
Continuous recon pipeline on GitHub Actions — monitors target domains for attack surface changes, enriches services, and fires real-time alerts on high-signal findings.
project
research

Selected vulnerability reports and technical writeups based on real-world findings.

Account Takeover via Invitation Link Abuse — Zoho Accounts SSO
web Bug Bounty Nov 2025
medium $200
Unauthenticated Invoice Access — Taxify (Bolt)
web Bug Bounty Jun 2025
easy dupe
IDOR in Production API — Comcast
web Bug Bounty Apr 2025
easy oos
Admin Takeover via Broken Authorization — McDonald's
web Bug Bounty Mar 2025
medium oos
skills
Web Application Security
API Security Testing
Authentication & Session Management
Access Control (IDOR, Privilege Escalation)
Vulnerability Analysis & Reporting
Recon & Attack Surface Mapping
Linux / Bash
Python (Automation)
Common Web Vulnerabilities (XSS, SQLi, CSRF)
Security Testing Tools (Burp, FFUF, Nuclei)