I specialize in identifying critical failures in large-scale systems. Here are some of my most significant disclosures.
Discovered 3,342 active OpenAI API keys leaked in public repositories. Reported to OpenAI Security, who confirmed and revoked the keys.
Acknowledged by Pump. Found a publicly exposed production environment file containing live AWS credentials with access to 57 S3 buckets, Auth0 management API tokens, and database credentials.
Found a leaked Slack token granting admin-level access to the TYPO3 workspace with 9,600+ members, including private channels and full message history.
Discovered a leaked Netlify token granting access to Algolia's Enterprise account, 44 sites, and DNS records for yarnpkg.com.
Read the full write-up. Scraped 15,000 documentation sites and found 39 Algolia admin API keys with full write access to search indexes for projects like Home Assistant and KEDA.
Acknowledged by Red Hat Security. Discovered a leaked SSH private key granting write access to eclipse-che/che, the upstream repository for Red Hat OpenShift Dev Spaces.
Featured in TechCrunch. A leaked GitHub token granted access to hundreds of private repositories, cloud infrastructure, and order fulfillment systems.
Discovered a leaked OAuth token granting write access to 'github/github' and 74,000+ private repositories.
Identified a publicly exposed employee token with 'repo' and 'workflow' scopes, allowing access to source code and build pipelines.
Acknowledged in the Vue.js Security Hall of Fame. Found a leaked Algolia Admin API key with write access to the official documentation search index.
Reverse-engineered popular AI extensions to bypass client-side authentication, enabling free access to premium LLM APIs.
Discovered publicly exposed credentials that could compromise development infrastructure.
Identified misconfigurations that could lead to unauthorized access to user data.
Featured in NPR. Discovered a Google Family Link security bypass at age 9, marking the beginning of my security research journey.
The languages and tools I use to uncover vulnerabilities.
Building custom scanners and automation tooling
Network analysis, interception, and reverse engineering
Where I deploy code and engage with the community
Open source tools and scanners I've built to automate the hunt.