About

Brief Bio

I'm a software developer, architect, author by trade, with years of experience in software large (millions of users) and small startups and non-profits. Recently I took a more active role in a life-long hobby of playing with security, cryptography, and puzzles into a full-on passion for security research, bug bounty, and the like.

My Stats

I started bug bounty as a hobby in Sep 2020. I've hacked on 3 major platforms, my profiles are linked below:

  • HackerOne - ~5400 rep, 7.0 signal, 24.0 impact
  • Bugcrowd - ~650 pts, 100% accuracy, 15 P1s
  • Synack (SRT) - level 0x05, SRT of the Year 2023 (#1 SRT globally), Rookie of the Year 2023

I actively hunted on HackerOne from Sep 2020-Aug 2021. During this time, I was in the top 10 on the US leaderboard, delivering critical and high findings on numerous private and public programs. Towards the end of the year I moved to Bugcrowd, as well as joined the Synack Red Team (SRT).

My focus areas are deep recon / research and P1/P2/P3 findings. I'm always happy to discuss techniques around these or collaborate with hackers - ping me on Twitter (@pmnh_) or Discord (pmnh#8207). I haven't ever intentionally filed a P4/P5, so I can't really help you with questions about this class of bugs.

Why Read This Site?

This simple site captures some stories and learnings on this journey. I hope you find it useful. I aim to publish once or twice monthly. My goal is to share interesting findings as well as some metrics and learnings as a relative newcomer to this field.

This site is not intended for people new to bug bounty, but instead targeting those looking to improve their craft, read more technical articles, and generally "talk shop". In most cases I won't be explaining commonly Google-able terms and suggest you rely on the many great resources around the web for bug bounty basics.

How Do You Pronounce pmnh?

You can simply say each letter 😄

Feedback / Questions?

Feel free to send any feebdack my way on Twitter, I can be reached at @pmnh_ - unfortunately my social media presence doesn't match my bug bounty platform names, sorry for any confusion 😄