Initializing...

AVAILABLE FOR ENGAGEMENTS

DARKINS_

Elite security researcher specializing in web application vulnerabilities, API security, and complex attack chains. Turning code into exploits, exploits into reports, reports into bounties.

High
Severity Focus
100%
Signal Rate
AI+
Driven
darkins@kali:~
bash
🐛
0
Vulnerabilities
💰
0
Highest Bounty
🎯
0
Signal Rate
Active
Status
~/about

Security Researcher & Bug Hunter

Turning vulnerabilities into opportunities for stronger security

Who I Am

A dedicated security researcher with a passion for finding and responsibly disclosing vulnerabilities. With years of experience in offensive security, I've helped organizations worldwide secure their digital infrastructure.

What I Do

My expertise spans authentication bypasses, injection attacks, business logic flaws, and API security. I combine automated reconnaissance with deep manual testing to uncover what automated scanners miss.

OPEN FOR OPPORTUNITIES

Private Programs
Security Consulting
Research Collab
Part-time Roles
~/darkins/profile.sh

# System Information

$ neofetch

OS: Security-focused

Approach: AI-Driven Methodology

Location: Remote / Worldwide

$ cat skills.txt

├── Web Application Security

├── API Penetration Testing

├── Auth Bypass & IDOR

├── Business Logic Flaws

└── Cloud Security (AWS/GCP)

$ echo $PLATFORMS

HackerOne Bugcrowd Intigriti

$ whoami

top-1%-researcher

Currently accepting new programs
~/skills

Technical Arsenal

Years of offensive security experience distilled into actionable expertise

🌐

Web Security

XSS (Reflected, Stored, DOM) 100%
CSRF & Clickjacking 80%
Session Management 60%
Authentication Bypass 100%
🔌

API Security

REST API Testing 100%
GraphQL Security 80%
IDOR & BOLA 100%
JWT Attacks 100%
💉

Injection Attacks

SQL Injection 100%
NoSQL Injection 100%
Command Injection 60%
SSRF 100%

Advanced Attacks

XXE Injection 100%
Race Conditions 80%
File Upload Bypass 100%
WAF Bypass 100%
🔍

Reconnaissance

Subdomain Enumeration 100%
Content Discovery 80%
JavaScript Analysis 100%
OSINT 60%
🤖

Automation

Python Scripting 80%
Bash Automation 60%
Custom Nuclei Templates 60%
AI-Assisted Testing 100%
🏆 ~/achievements

Track Record

Quality-focused security research with AI-driven methodology

🎯
100%
Signal Rate
🤖
AI+
Approach
🔴
Critical
Focus
🔒
Private
Programs

🛡️ Methodology

🤖
AI-Augmented Testing
Modern tools + manual verification
🎯
Critical Impact Focus
Quality over quantity approach
📝
Detailed Reporting
Clear PoC + remediation steps

Focused on private programs

📊 Platform Activity

A
HackerOne
Rising
Active
P
Bugcrowd
Growing
P2
A
Intigriti
Building
Active

"Clean reports with reproducible steps and actionable recommendations"

— Focus on quality

~/writeups

Security Research

Detailed technical write-ups of vulnerabilities discovered during bug bounty hunting

Critical
BAC Private Program

Real-Time Voting Results Leak via Broken Access Control

Critical authorization failure allowing unauthenticated access to real-time voting statistics.

Mon Jan 05 2026 00:00:00 GMT+0000 (Coordinated Universal Time) Read
Critical
WAF Bypass Private Program

Cloudflare WAF Bypass via Null Byte Injection

Discovered a critical WAF bypass using null byte injection, allowing direct access to protected endpoints.

Mon Jan 05 2026 00:00:00 GMT+0000 (Coordinated Universal Time) Read
Medium
Misconfiguration Private Program

CDN Directory Listing Information Disclosure

CDN server misconfiguration exposed directory structure, leaking pre-release promotional content.

Mon Jan 05 2026 00:00:00 GMT+0000 (Coordinated Universal Time) Read
Critical
NoSQLi Private Program

Full Database Dump via NoSQL Injection

Discovered a critical NoSQL injection vulnerability allowing complete database extraction through unvalidated query parameters.

Mon Jan 05 2026 00:00:00 GMT+0000 (Coordinated Universal Time) Read
High
Privilege Escalation Private Program

Privilege Escalation to Admin Analytics

Regular users could access administrative analytics endpoints due to missing role verification.

Mon Jan 05 2026 00:00:00 GMT+0000 (Coordinated Universal Time) Read
High
IDOR Private Program

IDOR via Predictable MongoDB ObjectIDs

Discovered resource enumeration vulnerability through predictable sequential MongoDB ObjectIDs.

Mon Jan 05 2026 00:00:00 GMT+0000 (Coordinated Universal Time) Read
Critical
JWT Private Program

JWT Secret Brute Force Leading to Account Takeover

Weak JWT secret allowed brute force attack, enabling forging of arbitrary user tokens.

Mon Dec 01 2025 00:00:00 GMT+0000 (Coordinated Universal Time) Read
Medium
GraphQL Private Program

GraphQL Introspection Exposes Internal API Schema

GraphQL introspection enabled in production exposed entire API schema including internal endpoints.

Sat Nov 01 2025 00:00:00 GMT+0000 (Coordinated Universal Time) Read
High
OAuth Private Program

OAuth State Parameter Missing Enables CSRF Account Linking

Missing state parameter in OAuth flow allowed attackers to link victim accounts to attacker's third-party account.

Wed Oct 01 2025 00:00:00 GMT+0000 (Coordinated Universal Time) Read
Critical
SSRF Private Program

SSRF via PDF Generator to Internal Services

PDF generation feature allowed SSRF to internal AWS metadata service, exposing IAM credentials.

Mon Sep 01 2025 00:00:00 GMT+0000 (Coordinated Universal Time) Read
High
Race Condition Private Program

Race Condition in Coupon Redemption

Race condition allowed single-use discount coupons to be applied multiple times.

Fri Aug 01 2025 00:00:00 GMT+0000 (Coordinated Universal Time) Read
High
XSS Private Program

Stored XSS in Profile Bio Field

Insufficient HTML sanitization in profile bio allowed persistent XSS affecting all profile visitors.

Tue Jul 01 2025 00:00:00 GMT+0000 (Coordinated Universal Time) Read
Critical
SQLi Private Program

Blind SQL Injection in Search Functionality

Time-based blind SQL injection in search parameter allowed full database extraction.

Sun Jun 01 2025 00:00:00 GMT+0000 (Coordinated Universal Time) Read
High
Subdomain Takeover Private Program

Subdomain Takeover via Dangling CNAME

Abandoned subdomain pointing to unclaimed cloud service allowed complete subdomain takeover.

Thu May 01 2025 00:00:00 GMT+0000 (Coordinated Universal Time) Read
High
Info Leak Private Program

Hardcoded API Keys Exposed in JavaScript Bundle

Production JavaScript bundle contained hardcoded API keys for third-party services.

Tue Apr 01 2025 00:00:00 GMT+0000 (Coordinated Universal Time) Read
Critical
Auth Bypass Private Program

Predictable Password Reset Token

Password reset tokens were generated using predictable timestamp-based algorithm.

Sat Mar 01 2025 00:00:00 GMT+0000 (Coordinated Universal Time) Read
Critical
XXE Private Program

XXE in XML Import Functionality

XML parser allowed external entities, enabling file disclosure and SSRF.

Sat Feb 01 2025 00:00:00 GMT+0000 (Coordinated Universal Time) Read
High
Host Header Private Program

Host Header Injection Leading to Password Reset Poisoning

Application used Host header for generating password reset links without validation.

Wed Jan 01 2025 00:00:00 GMT+0000 (Coordinated Universal Time) Read
High
CORS Private Program

CORS Misconfiguration Allows Credential Theft

Wildcard CORS with credentials enabled allowed cross-origin exfiltration of sensitive data.

Fri Nov 01 2024 00:00:00 GMT+0000 (Coordinated Universal Time) Read
High
WebSocket Private Program

WebSocket Connection Lacks Authentication

WebSocket endpoint accepted connections without verifying authentication tokens.

Sun Sep 01 2024 00:00:00 GMT+0000 (Coordinated Universal Time) Read
Critical
File Upload Private Program

Unrestricted File Upload to RCE

Image upload functionality lacked proper validation, allowing PHP file upload and remote code execution.

Mon Jul 01 2024 00:00:00 GMT+0000 (Coordinated Universal Time) Read
High
IDOR Private Program

IDOR leads to Account Takeover

Found an Insecure Direct Object Reference vulnerability in the user profile endpoint effectively allowing full account takeover.

Mon Jan 15 2024 00:00:00 GMT+0000 (Coordinated Universal Time) Read
Critical
XSS + CSRF Public Program

Self-XSS to Account Takeover via CSrf

Chaining a Self-XSS in the profile description with a CSRF vulnerability to force victims to execute malicious JavaScript.

Mon Nov 20 2023 00:00:00 GMT+0000 (Coordinated Universal Time) Read
~/certifications

Continuous Learning

Always expanding knowledge through certifications and hands-on training

📜 Certification Timeline

🎯

OSCP

Offensive Security Certified Professional

2025
In Progress
🌐

eWPTX

eLearnSecurity Web Penetration Tester eXtreme

2025
Planned
🔥

BSCP

Burp Suite Certified Practitioner

2024
Completed
🛡️

CEH

Certified Ethical Hacker

2023
Completed

📚 Currently Learning

Advanced API Hacking 75%
Cloud Security (AWS) 60%
Mobile App Pentesting 40%
Malware Analysis 25%

# Next milestone

$ echo $NEXT_GOAL

OSCP by Q2 2025

~/contact

Let's Connect

Have a private program invitation or want to discuss security research? I'm always open to new opportunities.

Primary Email

contact@darkins.dev

Response time: 24-48 hours

SECURITY DISCLOSURE

For responsible disclosure inquiries, include [SECURITY] in subject. PGP encryption preferred for sensitive reports.

~/send_message.sh

$ echo "Messages are encrypted and stored securely"