Security Researcher uncovering critical vulnerabilities in web apps, APIs & cloud infrastructure. Specializing in multi-bug exploitation chains that turn overlooked issues into account takeovers.
Security researcher turning complex attack surfaces into actionable critical findings.
I'm Yousef Muhammedelkhir, a security researcher and bug bounty hunter based in . I focus on uncovering high-impact vulnerabilities in web applications, APIs, and cloud infrastructure with real business impact.
My approach goes beyond surface-level testing โ I look for vulnerability chains that escalate into critical outcomes like full account takeover, unauthorized data access, and privilege escalation. This methodology has led to critical-severity findings across public and private programs on HackerOne.
I actively share knowledge through detailed writeups on Medium and engage with the security community on X, contributing techniques and methodologies back to the space that helped me grow.
API security, broken access control, and chaining bugs into account takeover
Firebase misconfigurations, GCP API exposure, cloud storage security research
Publishing technical writeups on Medium (@rofes1337) from real findings
Developing custom security automation and recon tooling to scale discovery
Selected findings demonstrating real-world security impact across programs.
Identified and responsibly disclosed a critical-severity vulnerability on a private HackerOne program with significant impact on core business functionality, resulting in a bounty award.
Chained multiple individually low-impact vulnerabilities to achieve complete account takeover. Documented in a published writeup โ demonstrating the power of creative bug chaining.
Discovered broken access control and IDOR vulnerabilities enabling unauthorized access to sensitive user data and privileged application functionality across multiple user accounts.
Identified missing authorization checks in API endpoints allowing unauthenticated or low-privilege users to access privileged functionality and sensitive cross-account data.
Uncovered critical cloud misconfigurations exposing sensitive backend data and internal resources โ including exposed Firebase databases and publicly readable storage buckets.
Areas of deep focus developed through real-world research and bug bounty hunting.
Sharing knowledge from real findings to help the security community grow.
A deep-dive into how a single target can yield a full suite of chained vulnerabilities. Walks through recon, initial discovery, and how multiple individually minor bugs were chained to achieve significant real-world impact โ showing why bug chaining is the most underrated skill in bug bounty.
Full collection of vulnerability research, exploitation techniques, and bug bounty methodologies.
Publicly disclosed vulnerability reports with technical details and proof-of-concept exploits.
Regular security insights, hunting tips, and research notes shared with the bug bounty community.
Industry-recognized certifications across red teaming, penetration testing, and application security.
CyberWarFare Labs
INE Security (eLearnSecurity)
The SecOps Group (PentestingExams.com)
APIsec University
EC-Council
Open to private program invitations, penetration testing engagements, security consulting, and research collaborations.