Yay, I was awarded a 5000$ bounty💰 on @Hacker0x01! hackerone.com/roland_hack #TogetherWeHitHarder

Windfall - Unauth RCE in Windmill & Nextcloud Flow (CVE-2026-29059) Path traversal to credential leak to root shell. No authentication required on any deployment type, including behind Nextcloud's proxy. Metasploit modules full toolkit included. Also publishing a new technique for dumping PostgreSQL databases by reading heap files from disk. If you have filesystem access as root, you can extract every table without credentials or SQL access. Full binary parser with JSONB support. Write-up: chocapikk.com/posts/2026/win… PG heap dump technique: chocapikk.com/posts/2026/dum… PG heap dump tool: github.com/Chocapikk/pgread Exploit toolkit labs: github.com/Chocapikk/Windfal…

Yay, I was awarded a Х,000$ bounty💰 on @Hacker0x01! hackerone.com/roland_hack #TogetherWeHitHarder

I think I have completed client-side security , just one report: Self-XSS -> Drag-Drop Payload -> Scroll-To-Fragment -> Unchecked postMessage Listener -> Text Injection -> DOM-XSS -> OAuth State Misconfiguration -> Cookie Bomb -> Account Takeover medium.com/@renwa/iframe-san…

Rule number 1 in Bug Bounty is only hack targets you enjoy hacking

people always asking what tools we use... then don't believe us when we say only Burp proxy Intruder Repeater lol

People thought security researchers are about to get "automated" Meanwhile hacks on vibecoded projects disregarding security are at a peak Skilled Security Researchers once again are worth their weight in gold

Yay, I was awarded a 1250$ bounty💰 on @Hacker0x01! hackerone.com/roland_hack #TogetherWeHitHarder

Happy new year to everyone! Wishing everyone a happy year with crazy bugs.

ATO via OAuth unsanitized schema This is such a sneaky finding. Bugs like this just continue to prove that thinking away from the norm will go a long way. Get weird. Blog link👇 sicks3c.github.io/posts/ato-…

PoV: you wakeup and go run a pwn2own exploit @thezdi

It was fun watching people hate because of the expertise they don’t have or context they don’t know. I purposely didn’t share details of what I'm working on, and a few people with zero knowledge of the insane work I’ve put in used to call me names, it's fine, I actually never cared. More than half a million dollars in 5 months since I started reporting. And it will accelerate a lot faster once Pantheon Labs team is created, and I mean a ton faster. I've been hesitant about the team, I'm usually an isolated person, so it's been delayed a bit. The next few weeks will be even busier. I am not working as much as I want to, I know for a fact I could've done a lot more than that amount if I locked in more, I am honestly not satisfied yet. People have no idea what the future holds or the crazy things coming next, because they're not in my head and I haven't shared the tech we’re (me) working on. They don’t even have the imagination to even think what it could be. They don’t know what I know and can’t say what’s possible or impossible. Peace out.

🚀 Q3 on HackerOne ⭐️ Reached 1500 reputation points
🎖️ Level 5 Milestone Program unlocked
🤖 Found vulnerabilities in an AI assistant
🇫🇷 #9 in France BBPs
🌍 #89 global Web Apps assets
📈 New personal bounty milestone

Had an amazing time hacking @amazon at @Hacker0x01’s in-person event with @naaash, @jayesh25, and @itz_mg_! We secured first place on the leaderboard and reported the most impactful bug of the event. Huge thanks to both Amazon and HackerOne for organizing such an awesome experience, already excited for the next one! 👀

Me when 🫠

For hackers doing everything manual low and medium severity reports often lead to frustration. Do less but focus only on critical or high.

Sometimes while hacking there is this point where your mind goes completely blank and the target you’re hacking on starts dominating you. That’s a weird feeling not knowing what attack vector to go after.

Security researchers, we’re launching a full-length AI Red Team CTF with @hackthebox_eu this September: A multi-flag, adversarial LLM challenge series. Play from anywhere. Climb the leaderboard. Unlock exclusive swag. Registration is open now: 🔗 bit.ly/4oGQ6mA

That's one of the best feeling in the world 🤟

You think that successfull people are lucky? Destiny saved them and not you? They were working 24 hours a day while you were chilling elsewhere. So stand up and get your shit done.