mahadi6_

Penetration Tester and Bug Bounty hunter

Google • Freelance

Jan 2020 - Present • 6 yrs 4 mos

I am a HackerOne Verified White Hat Hacker who has earned $20,000+ total bounties discovering critical security vulnerabilities in major global platforms including Udemy, Wallet on Telegram, and GitHub repositories affecting 600,000+ users. KEY ACHIEVEMENTS: • Udemy – Complete Account Takeover ($2000 bounty) Discovered missing CSRF protection + no rate limiting + no email verification on /api-2.0/users/me/ endpoint. Any website could change a logged-in user's email without consent. Patched after my report. • Udemy – Open Redirect ($2000 bounty) Found open redirect in passwordless authentication endpoint. Attackers could create phishing links stealing credentials. Patched after my report. • Wallet on Telegram – Full SSRF ($2000 bounty equivalent) Identified Server-Side Request Forgery in /tonconnect-proxy/ endpoint allowing internal network access. Validated by their security team. • Stephen Grider / GitHub – Critical Credential Exposure ($14000 value) Discovered live Docker Hub credentials + Google OAuth + AWS keys + MongoDB passwords. Successfully pulled 9+ private Docker images. 600,000+ students protected from supply chain attack. Prevented potential $14M+ damages. • Neon Database – Session Management Flaw Found profile updates accepted even after user logout. Validated by their security team. TOTAL BOUNTIES & VALUE: $20,000+ CERTIFICATIONS: BlackHat Ethical Hacking – Bug Bounty Hunting Course BlackHat Ethical Hacking – Offensive Security and Ethical Hacking Defronix DCAPT – Advanced Penetration Tester TOOLS & METHODOLOGY: wpscan, nmap, nikto, Burp Suite, Metasploit, Kali Linux, grep, theHarvester, Shodan, Recon-ng, Google Dorks I apply the same bug bounty hunting methodology to secure WordPress sites for my Fiverr clients – manual testing, real exploitation attempts, and commercial-grade security reports.