TICKET-0001 CRITICAL

Andrey Petrovic

> _

I find bugs before your users do β€” and before attackers do. 8 years of breaking production code on purpose, 2,847 bugs squashed, $312k in bounties collected, and zero regressions on anything I've shipped a patch for.

0 Bugs Found
0 Bounty Earned
0% Squash Rate
bug_scan.sh β€” production target
$ ./scan --target prod --depth=full
Initializing deep scan...
Scanning modules β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ 100%
βœ“ auth.service β€” PASSED (14 checks)
βœ“ payment.gateway β€” PASSED (9 checks)
βœ— user.session β€” BUG DETECTED (memory leak, CVE-class)
βœ“ api.routes β€” PASSED (22 checks)
⚠ cache.handler β€” WARNING (race condition, medium)
βœ“ db.connector β€” PASSED (7 checks)
βœ“ crypto.utils β€” PASSED (12 checks)

Scan complete: 1 bug, 1 warning, 5 passed Β· 0.42s
$ _

Bug Report: Who is this Bug Hunter?

#SEC-2026-001

Profile Disclosure β€” Senior Security QA Engineer

HIGH TRUST
AP assigned to @andrey OPEN
Reporterself
Severityproduction-ready
Years of experience8+
Based inBelgrade Β· GMT+1
Working hours09:00–18:00 CET
Response time≀ 24h
LanguagesEN Β· SR Β· RU
Clearancebackground-checked

// Summary

Senior Security QA Engineer and independent bug bounty hunter. I break things on purpose so nothing breaks by accident β€” combining black-box penetration testing, source code review, and CI-integrated fuzzing to find the bugs that matter before they reach production.

// Reproduction Steps

Drop me into your codebase with read access and a staging environment. Within 72 hours I'll deliver a prioritized vulnerability report with proof-of-concept exploits, severity ratings, and patch recommendations. For ongoing engagements, I integrate automated checks into your CI pipeline so regressions get caught at the PR β€” not at the incident review.

// Impact

Over the last 8 years I've disclosed 2,847 bugs across fintech, healthcare, and SaaS β€” including 14 CVEs with CVSS β‰₯ 8.0. My disclosures have been credited by HackerOne, Bugcrowd, and GitHub Security Lab. I've helped 3 startups pass SOC 2 Type II on the first audit and cut one client's incident-response MTTR from 6 hours to 22 minutes.

// What I Hunt

  • Authentication & session boundary flaws (OAuth, SSO, JWT)
  • Authorization bypass & IDOR / BOLA in GraphQL and REST
  • Injection β€” SQL, NoSQL, command, template, SSRF
  • Crypto misuse β€” padding oracles, IV reuse, weak KDFs
  • Race conditions in async / distributed code paths
  • Supply-chain risks in third-party dependencies

// Disclosure Policy

Coordinated disclosure by default. 90-day window, extendable on request. I publish writeups after patches are live β€” blog.petrovic.sec has 42 of them so far.

0
CVEs disclosed (CVSS β‰₯ 8.0)
0k
Total bounty earnings
0min
Avg MTTR after my fixes
0
Regressions on patched bugs

Skills & Coverage Matrix

My skill coverage by domain β€” measured by bugs found per 1,000 lines audited, not by self-assessment.

Web App Security 96%
OWASP Top 10 Β· GraphQL Β· API1,284 found
Authentication & Identity 94%
OAuth Β· OIDC Β· SAML Β· JWT418 found
Cloud & Infra Security 88%
AWS Β· GCP Β· K8s Β· Terraform312 found
Cryptography Review 82%
TLS Β· KDF Β· signing Β· padding96 found
CI/CD Pipeline Auditing 90%
GitHub Actions Β· secrets Β· SBOM187 found
Fuzzing & Automation 85%
libFuzzer Β· AFL++ Β· CIFuzz550 found

Public Vulnerability Disclosures

A selection of disclosed vulnerabilities β€” all coordinated, all patched, all with public writeups.

ID Vulnerability Target Severity Bounty Year
VULN-001
Auth bypass via JWT alg confusionCVE-2025-4192
fintech-saas CRITICAL $18,000 2025
VULN-002
GraphQL IDOR exposing PIICVE-2025-3318
healthcare-platform CRITICAL $12,500 2025
VULN-003
SSRF via webhook callbackCVE-2024-9981
devops-tool HIGH $6,200 2024
VULN-004
Race condition in payout settlementCVE-2024-7762
fintech-saas HIGH $9,800 2024
VULN-005
Padding oracle in legacy SSOCVE-2024-5521
enterprise-sso HIGH $4,500 2024
VULN-006
SSRF via PDF rendererCVE-2023-8890
design-platform MEDIUM $2,800 2023

Selected Bug Hunting Case Studies

Four bugs I'm particularly proud of β€” each with a writeup, an exploit, and a patch that stuck.

KILL-001 Β· fintech-saas

JWT alg-confusion auth bypass

CRITICAL
JWTauth-bypassCVE-2025-4192

The verification library accepted `alg: none` and `alg: HS256` with the RSA public key as HMAC secret β€” letting anyone forge admin tokens. I chained it with an IDOR to drain a sandbox account in 4 requests.

β–Έ $18k bounty Β· CVSS 9.8 2025-04-12
KILL-002 Β· healthcare-platform

GraphQL IDOR exposing patient PII

CRITICAL
GraphQLIDORCVE-2025-3318

The `patient(id: ID!)` resolver checked auth on the operation but not on the resolved object β€” iterating IDs returned full records for 1.4M patients. I reported it via their coordinated disclosure; patch shipped in 11 hours.

β–Έ $12.5k bounty Β· CVSS 9.1 2025-02-28
KILL-003 Β· fintech-saas

Race condition in payout settlement

HIGH
race-conditiontoctouCVE-2024-7762

The settlement endpoint read balance, checked it, then debited β€” without a row lock. Two concurrent requests could double-spend. Reproducible with 12 lines of Python and an asyncio gather. Patch added SELECT FOR UPDATE; I wrote the regression test.

β–Έ $9.8k bounty Β· CVSS 7.5 2024-09-14
KILL-004 Β· devops-tool

SSRF via webhook callback URL

HIGH
SSRFmetadata-serviceCVE-2024-9981

The webhook receiver followed redirects server-side and didn't restrict internal IPs β€” letting an attacker reach the AWS metadata endpoint and exfiltrate IAM credentials. I included a 4-step PoC in the report.

β–Έ $6.2k bounty Β· CVSS 8.6 2024-11-03

My Bug-Hunting Toolkit

The tools I actually use daily β€” not a generic list. Each one earns its keep on a real engagement.

Bp
Burp Suite Pro
Interception
Zp
OWASP ZAP
Active scan
Nc
Nuclei
Template scan
Sn
Semgrep
SAST
Cv
CodeQL
Query-based SAST
Fz
FFuF / Wfuzz
Fuzzing
Af
AFL++
Binary fuzzing
Sy
Syft / Grype
SBOM & CVE scan
Tf
tfsec / Checkov
IaC scan
Gh
Ghidra
Reverse engineering
Md
mitmproxy
Traffic replay
Py
Custom Python PoCs
Exploit scripts

How I Run an Engagement

A four-phase methodology I've refined across 40+ engagements β€” predictable, scoped, and CI-integrable.

Recon

Scope clarification, threat modelling, attack-surface mapping. I read your docs, your code, and your git history before touching a single endpoint.

Hunt

Manual + automated testing. I start with the OWASP Top 10 for your stack, then go deep on auth, authz, injection, and race conditions β€” the bug classes that actually matter.

Report

Every finding ships with: title, severity (CVSS), affected endpoint, proof-of-concept, impact, and recommended patch. Reproducible in 3 steps or fewer.

Patch & Regression

I review your patch, write a regression test, and where possible wire it into CI so the same bug class can never ship again. Retest at 30 days.

2026-06-27 14:22HIGH
Race condition in /api/v2/transfer β€” patched in 22min
Two concurrent POSTs could double-spend a sandbox wallet. Patched with SELECT FOR UPDATE; regression test added to CI.
race-conditiontoctoupostgres
2026-06-25 09:14MED
SSRF in webhook receiver β€” patched same day
Callback URL accepted internal IPs; reached AWS metadata endpoint. Patched with allowlist + redirect-blocking.
ssrfcloud-metadatawebhook
2026-06-22 17:48CRIT
JWT alg-confusion auth bypass β€” patched in 11h
Verification library accepted alg: none. Patched with explicit allowlist; rotated signing keys; revocation list deployed.
jwtauth-bypasscve-class

From Security Leads I've Worked With

"

Andrey found three CVE-class bugs in our payment flow within the first 48 hours. His reports are the cleanest I've ever seen β€” every patch recommendation was merge-ready.

JK
Jonas Kjær
Head of Security, fintech-saas
"

We hired Andrey for a 2-week audit. He left us with a prioritized backlog, a CI-integrated regression suite, and an internal threat model our team still updates quarterly.

MH
Mira Halvorsen
CISO, healthcare-platform
"

Few security engineers understand developer workflows. Andrey writes PoCs that read like documentation and patches that pass code review on the first try.

SA
Sara Adeyemi
Staff Engineer, devops-tool

Open an Engagement Ticket

Tell me what you're building, what you're worried about, and your timeline. I read every report and respond within 24 hours.

Available for short security audits (1–2 weeks), longer embedded engagements (1–3 months), and ongoing retainer work. I work remotely from Belgrade, overlap 4+ hours with US/EU timezones, and sign NDAs by default.

email
andrey@petrovic.sec
location
Belgrade Β· GMT+1 Β· remote
response time
≀ 24h, Mon–Fri
pgp
0x9F2A 4C71 Β· key on keybase
available for Q3 2026 β€” 2 slots remaining
β–Έ file_bug_report --new #SEC-2026-NEW
βœ“ bug report filed. I'll respond within 24 hours.