Andrey Petrovic
I find bugs before your users do β and before attackers do. 8 years of breaking production code on purpose, 2,847 bugs squashed, $312k in bounties collected, and zero regressions on anything I've shipped a patch for.
Bug Report: Who is this Bug Hunter?
Profile Disclosure β Senior Security QA Engineer
HIGH TRUST// Summary
Senior Security QA Engineer and independent bug bounty hunter. I break things on purpose so nothing breaks by accident β combining black-box penetration testing, source code review, and CI-integrated fuzzing to find the bugs that matter before they reach production.
// Reproduction Steps
Drop me into your codebase with read access and a staging environment. Within 72 hours I'll deliver a prioritized vulnerability report with proof-of-concept exploits, severity ratings, and patch recommendations. For ongoing engagements, I integrate automated checks into your CI pipeline so regressions get caught at the PR β not at the incident review.
// Impact
Over the last 8 years I've disclosed 2,847 bugs across fintech, healthcare, and SaaS β including 14 CVEs with CVSS β₯ 8.0. My disclosures have been credited by HackerOne, Bugcrowd, and GitHub Security Lab. I've helped 3 startups pass SOC 2 Type II on the first audit and cut one client's incident-response MTTR from 6 hours to 22 minutes.
// What I Hunt
- Authentication & session boundary flaws (OAuth, SSO, JWT)
- Authorization bypass & IDOR / BOLA in GraphQL and REST
- Injection β SQL, NoSQL, command, template, SSRF
- Crypto misuse β padding oracles, IV reuse, weak KDFs
- Race conditions in async / distributed code paths
- Supply-chain risks in third-party dependencies
// Disclosure Policy
Coordinated disclosure by default. 90-day window, extendable on request. I publish writeups after patches are live β blog.petrovic.sec has 42 of them so far.
Skills & Coverage Matrix
My skill coverage by domain β measured by bugs found per 1,000 lines audited, not by self-assessment.
Public Vulnerability Disclosures
A selection of disclosed vulnerabilities β all coordinated, all patched, all with public writeups.
| ID | Vulnerability | Target | Severity | Bounty | Year |
|---|---|---|---|---|---|
| VULN-001 | Auth bypass via JWT alg confusionCVE-2025-4192 |
fintech-saas | CRITICAL | $18,000 | 2025 |
| VULN-002 | GraphQL IDOR exposing PIICVE-2025-3318 |
healthcare-platform | CRITICAL | $12,500 | 2025 |
| VULN-003 | SSRF via webhook callbackCVE-2024-9981 |
devops-tool | HIGH | $6,200 | 2024 |
| VULN-004 | Race condition in payout settlementCVE-2024-7762 |
fintech-saas | HIGH | $9,800 | 2024 |
| VULN-005 | Padding oracle in legacy SSOCVE-2024-5521 |
enterprise-sso | HIGH | $4,500 | 2024 |
| VULN-006 | SSRF via PDF rendererCVE-2023-8890 |
design-platform | MEDIUM | $2,800 | 2023 |
Selected Bug Hunting Case Studies
Four bugs I'm particularly proud of β each with a writeup, an exploit, and a patch that stuck.
JWT alg-confusion auth bypass
The verification library accepted `alg: none` and `alg: HS256` with the RSA public key as HMAC secret β letting anyone forge admin tokens. I chained it with an IDOR to drain a sandbox account in 4 requests.
GraphQL IDOR exposing patient PII
The `patient(id: ID!)` resolver checked auth on the operation but not on the resolved object β iterating IDs returned full records for 1.4M patients. I reported it via their coordinated disclosure; patch shipped in 11 hours.
Race condition in payout settlement
The settlement endpoint read balance, checked it, then debited β without a row lock. Two concurrent requests could double-spend. Reproducible with 12 lines of Python and an asyncio gather. Patch added SELECT FOR UPDATE; I wrote the regression test.
SSRF via webhook callback URL
The webhook receiver followed redirects server-side and didn't restrict internal IPs β letting an attacker reach the AWS metadata endpoint and exfiltrate IAM credentials. I included a 4-step PoC in the report.
My Bug-Hunting Toolkit
The tools I actually use daily β not a generic list. Each one earns its keep on a real engagement.
How I Run an Engagement
A four-phase methodology I've refined across 40+ engagements β predictable, scoped, and CI-integrable.
Recon
Scope clarification, threat modelling, attack-surface mapping. I read your docs, your code, and your git history before touching a single endpoint.
Hunt
Manual + automated testing. I start with the OWASP Top 10 for your stack, then go deep on auth, authz, injection, and race conditions β the bug classes that actually matter.
Report
Every finding ships with: title, severity (CVSS), affected endpoint, proof-of-concept, impact, and recommended patch. Reproducible in 3 steps or fewer.
Patch & Regression
I review your patch, write a regression test, and where possible wire it into CI so the same bug class can never ship again. Retest at 30 days.
From Security Leads I've Worked With
Andrey found three CVE-class bugs in our payment flow within the first 48 hours. His reports are the cleanest I've ever seen β every patch recommendation was merge-ready.
We hired Andrey for a 2-week audit. He left us with a prioritized backlog, a CI-integrated regression suite, and an internal threat model our team still updates quarterly.
Few security engineers understand developer workflows. Andrey writes PoCs that read like documentation and patches that pass code review on the first try.
Open an Engagement Ticket
Tell me what you're building, what you're worried about, and your timeline. I read every report and respond within 24 hours.
Available for short security audits (1β2 weeks), longer embedded engagements (1β3 months), and ongoing retainer work. I work remotely from Belgrade, overlap 4+ hours with US/EU timezones, and sign NDAs by default.