How a top bug bounty researcher got their start in security

For this year’s Cybersecurity Awareness Month, the GitHub Bug Bounty team is excited to feature another spotlight on a talented security researcher — @xiridium!

Bug bounty graphic
| 6 minutes

As we kick off Cybersecurity Awareness Month, the GitHub Bug Bounty team is excited to spotlight one of the top performing security researchers who participates in the GitHub Security Bug Bounty Program, @xiridium!

GitHub is dedicated to maintaining the security and reliability of the code that powers millions of development projects every day. GitHub’s Bug Bounty Program is a cornerstone of our commitment to securing both our platform and the broader software ecosystem.

With the rapid growth of AI-powered features like GitHub Copilot, GitHub Copilot coding agent, GitHub Spark, and more, our focus on security is stronger than ever—especially as we pioneer new ways to assist developers with intelligent coding. Collaboration with skilled security researchers remains essential, helping us identify and resolve vulnerabilities across both traditional and emerging technologies.

We have also been closely auditing the researchers participating in our public program—to identify those who consistently demonstrate expertise and impact—and inviting them to our exclusive VIP bounty program. VIP researchers get direct access to:

  • Early previews of beta products and features before public launch
  • Dedicated engagement with GitHub Bug Bounty staff and the engineers behind the features they’re testing 😄
  • Unique Hacktocat swag—including this year’s brand new collection!

Explore this blog post to learn more about our VIP program and discover how you can earn an invitation!

To celebrate Cybersecurity Awareness Month this October, we’re spotlighting one of the top contributing researchers to the bug bounty program and diving into their methodology, techniques, and experiences hacking on GitHub. @xiridium is renowned for uncovering business logic bugs and has found some of the most nuanced and impactful issues in our ecosystem. Despite the complexity of their submissions, they excel at providing clear, actionable reproduction steps, streamlining our investigation process and reducing triage time for everyone involved.


How did you get involved with Bug Bounty? What has kept you coming back to it?

I was playing CTFs (capture the flag) when I learned about bug bounties. It was my dream to get my first bounty. I was thrilled by people finding bugs in real applications, so it was a very ambitious goal to be among the people that help fix real threats. Being honest, the community gives me professional approval, which is pretty important for me at the moment. This, in combination with technical skills improvement, keeps me coming back to bug bounties!

What do you enjoy doing when you aren’t hacking?

At the age of 30, I started playing music and learning how to sing. This was my dream from a young age, but I was fighting internal blocks on starting. This also helps me switch the context from work and bug bounty to just chill. (Oh! I also spend a lot of bounties on Lego 😆.)

How do you keep up with and learn about vulnerability trends?

I try to learn on-demand. Whenever I see some protobuf (Protocol Buffers) code looking interesting or a new cloud provider is used, that is the moment when I say to myself, “Ok, now it’s time to learn about this technology.” Apart from that, I would consider subscribing to Intigriti on Twitter. You will definitely find a lot of other smart people and accounts on X, too, however,  don’t blindly use all the tips you see. They help, but only when you understand where they come from. Running some crazily clever one-liner rarely grants success.

What tools or workflows have been game-changers for your research? Are there any lesser-known utilities you recommend?

Definitely ChatGPT and other LLMs. They are a lifesaver for me when it comes to coding. I recently heard some very good advice: “Think of an LLM as though it is a junior developer that was assigned to you. The junior knows how to code, but is having hard times tackling bigger tasks. So always split tasks into smaller ones, approve ChatGPT’s plan, and then let it code.”It helps with smaller scripts, verifying credentials, and getting an overview on some new technologies.

You’ve found some complex and significant bugs in your work—can you talk a bit about your process?

Doing bug bounties for me is about diving deep into one app rather than going wide. In such apps, there is always something you don’t fully understand. So my goal is to get very good at the app. My milestone is when I say to myself, “Okay, I know every endpoint and request parameter good enough. I could probably write the same app myself (if I knew how to code 😄).” At this point, I try to review the most scary impact for the company and think on what could go wrong in the development process. Reading the program rules once again actually helps a lot.

Whenever I dive into the app, I try to make notes on things that look strange. For example: there are two different endpoints for the same thing. `/user` and `/data/users`. I start thinking, “Why would there be two different things for the same data?” Likely, two developers or teams didn’t sync with each other on this. This leads to ambiguity and complexity of the system.

Another good example is when I find 10 different subdomains, nine are on AWS and one is on GCP. That is strange, so there might be different people managing those two instances. The probability of bugs increases twice!

What are your favorite classes of bugs to research and why?

Oh, this is a tough one. I think I am good at looking for leaked credentials and business logic. Diving deep and finding smaller nuances is my speciality. Also, a good note on leaked data is to try to find some unique endpoints you might see while diving into the web app. You can use search on GitHub for that. Another interesting discovery is to Google dork at Slideshare, Postman, Figma, and other developer or management tools and look for your target company. While these findings rarely grant direct vulnerabilities, it might help better understand how the app works.

Do you have any advice or recommended resources for researchers looking to get involved with Bug Bounty?

Definitely, Portswigger Labs and hacker101 . It is a good idea to go through the easiest tasks for each category and find something that looks interesting for you. Then, learn everything you find about your favorite bug: read reports, solve CTFs, HackTheBox, all labs you might find.

What’s one thing you wish you’d known when you first started?

Forget about “Definitely this is not vulnerable” or “I am sure this asset was checked enough.” I have seen so many cases when other hackers found bugs on the www domain for the public program.

Bonus thought: If you know some rare vulnerability classes, don’t hesitate to run a couple tests. I once found Oracle padding on a web app in the authentication cookie. Now, I look for those on every target I might come across.


Thank you, @xiridium, for participating in GitHub’s bug bounty researcher spotlight! Each submission to our bug bounty program is a chance to make GitHub, our products, and our customers more secure, and we continue to welcome and appreciate collaboration with the security research community. So, if this inspired you to go hunting for bugs, feel free to report your findings through HackerOne.

Related posts