- ๐จโ๐ป All of my projects are available at https://github.com/herdiyana256
- ๐ฌ Ask me about Web Security, Android Dev, DevSecOps, CI/CD Pipeline Security, Automation
- ๐ซ How to reach me herdiyan@supernesia.id
- ๐จโ๐ป My Business Supernesia Creative Technology
| Organization | Finding | Platform | Year |
|---|---|---|---|
| โ๏ธ Nextcloud | OCS Share API exposes full Argon2id password hash of password-protected link shares via /ocs/v2.php/apps/files_sharing/api/v1/shares, enabling offline brute-force attacks without rate limiting. |
YesWeHack | 2026 |
| ๐ Keycloak | Cross-client token introspection IDOR via /realms/{realm}/protocol/openid-connect/token/introspect any confidential OAuth client can introspect tokens issued to other clients, leaking full PII and session metadata (username, email, sub, roles, session state) without authorization. Fixed in Keycloak 26.6.3. (CVE-2026-37979) |
YesWeHack | 2026 |
| ๐น Go (golang/x/image) | VP8L decoder validation-ordering flaw โ dimension check ran after a 1 GiB allocation instead of before. Credited by the Go team in golang/go#80063; fix landed in CL 792240. Classified as a hardening measure. | Google OSS VRP | 2026 |
| ๐ฌ Google OSS VRP (osv-scanner) | Enabled Swift PackageResolved plugin to detect SwiftURL ecosystem CVEs โ fixing zero CVE matches for SPM packages previously misidentified as CocoaPods (PR #2801) | Google OSS VRP | 2026 |
| ๐ฌ Google OSS VRP (osv-scalibr) | Ecosystem misclassification fix causing zero CVE matches for Wolfi OS and Chainguard container images | Google OSS VRP | 2026 |
| ๐ NASA (globe.gov) | Information Disclosure on official government platform | Bugcrowd VDP | 2026 |
| ๐ Google OSS VRP (Angular) | Critical vulnerability in CI/CD pipeline affecting widely used open source project | Google OSS VRP | 2026 |
| ๐ OpenProject | Improper Access Control leading to unauthorized cross-project data manipulation (CVE-2026-27722 ยท GHSA-xw8w-4qxm-g9gv) | YesWeHack | 2026 |
| ๐ OpenProject | Authentication logic flaw enabling account compromise | YesWeHack | 2026 |
| ๐ OpenProject | Improper Access Control on sensitive reporting module | YesWeHack | 2026 |
| ๐ณ PayPal | Business Logic vulnerability in payment processing workflow | HackerOne | 2026 |
| ๐จ Shiji Group | Broken Access Control on enterprise hospitality management platform | YesWeHack | 2026 |
| ๐ฐ Geenius Meedia | Multiple Business Logic vulnerabilities across subscription and content delivery systems | YesWeHack | 2026 |
| ๐ง cURL | Functional regression in core authentication implementation | HackerOne | 2026 |
| ๐ฏ YesWeHack Dojo #49 | Challenge Winner โ exploitation chain achieving restricted file access | YesWeHack Dojo | 2026 |
| ๐ฏ YesWeHack Dojo #50 | Challenge Winner โ bypass of security controls with bonus points awarded | YesWeHack Dojo | 2026 |
