About Me

White hat hacker and cybersecurity MSc @ ETH Zürich

LinkedIn | GitHub | X | Instagram

Student

• 2020-2023: Bachelor of Communication Systems at EPFL
  • Bachelor Thesis: Semantic-Aware Fuzzing on Regular Expressions @ SYSTEMF lab. (Loved everything about this project, from its topic to the people I could work with!)
• 2023-ongoing: Master of Cybersecurity at ETH Zürich

Bug bounty hunter

Hacking on bug bounty programs since 2020. Mostly doing it for Swisscom, more recently X (formerly Twitter) as well, and many others.

‍

• 60+ valid vulnerabilities
• Invited to give an internal talk to Swisscom security dept. in February 2024
• Ranked as the 3rd and 5th top hacker in 2022 and 2021, respectively

• 8 valid vulnerabilities (1 resolved, 7 still getting fixed)
• All issues affecting the main app and features (e.g., X Spaces, X Communities)

‍

Others:

Anthropic (Claude), OpenAi (ChatGPT), US Dept. of Defense, Twitch, Udemy, SwissID, etc.

Responsible discloser

Finding and reporting vulnerabilities just for the fun of it, without any money involved, was initially what sparked my interest in the field. Below is a non-exhaustive list of companies, institutions or projects I could contribute to:

• Project Jupyter (CVE-2024-28233 ; Reported issues leading to major additions to JupyterHub's security guidelines)
• EPFL (more than 25 reported vulnerabilities)
• Parcoursup
• Immortal Game
• Elyze (someone stole my fame in the past with this thread on X ... 😔)
• Resend
• Blast.Club
• Piazza
• Ed

Security tool maker

When I have time and feel the need, I make security tools that would benefit or automate some of my hacking steps. When I think that I'm not losing too much of an edge by publishing / open sourcing them (that's sometimes a sad truth of bug bounty competition ☹️), I do so. And in the best world, people love them!

The most popular ones are autoSSRF and autoPoisoner, respectively designed to automate the detection of SSRF and Web Cache Poisoning vulnerabilities.

Some stats of autoSSRF i'm quite happy with:

• 300+ GitHub stars ⭐
• Highlighted / featured on many online platforms 🔁:
  • X (#1, #2, #3, #4, #5)
  • LinkedIn (#1, #2)
  • offsec.tools
  • kitploit.com

Occasional Speaker

• Internal talk at Swisscom (February 2024)
• Talk at Area41 Security Conference in Zurich (June 2024)
  • Recording
  • Blog Post

Hope to do more of that in the future.

Conference frequent attendee

I always have great pleasure going to security conferences and meeting people there.

So far, I could attend the following:

• BlackHat EU 2023 - London, Excel
• Swiss CyberStorm 2022 & 2023 - Bern, Kuursal
• Insomni'hack 2023 - Lausanne, EPFL Swiss Tech Convention Center
• Cyber-Defence Campus Conference 2023 - Bern, Kuursal
• Web3 Security Conference 2023 by De.Fi - Milano, Nhow
• Area41 2024 (as a speaker) - Zurich, Komplex457
• EPFL Summer Research Institute on Systems, Security, and Privacy 2024 - Lausanne, EPFL