Experience
Penetration Tester, KPMG Colombia
April 2025 – Present
- Web and mobile application penetration testing for enterprise clients across financial, healthcare, and government sectors, including major energy corporations.
- Manual and automated vulnerability assessment: SQLi, XSS, IDOR, SSRF, Business Logic flaws, authentication bypasses, and API security testing.
- Exploitation of complex vulnerability chains in regulated environments under OWASP and PTES methodologies.
- Client-facing reporting: translating critical technical findings into executive-level risk impact, with actionable remediation roadmaps.
- Attack surface analysis and red team collaboration on complex multi-layered infrastructures.
Security Researcher - HackerOne / BugCrowd
June 2023 – Present
- Specialized in identifying critical vulnerabilities using PTES methodology and lateral thinking to solve complex problems with technical creativity.
- Reported Open Redirect, Subdomain Takeover, and Information Disclosure vulnerabilities in Adobe, NASA VDP, and private programs.
- Specialized in asset enumeration, web exploitation, and high-impact findings across public and private bug bounty programs.
Software Analyst / Ethical Hacker Intern - Siesa
January 2024 – June 2024
- Analyzed enterprise ERP and CRM software solutions across multiple versions prior to production deployment.
- Conducted penetration testing on two internal applications, identifying SQL Boolean Injection and Reflected XSS vulnerabilities with remediation proposals.
- Contributed to software quality and security analysis, improving operational efficiency and data protection standards.
CVEs / Vulnerability Research
CVE-2026-35526
Denial of Service via unbounded WebSocket subscriptions in Strawberry GraphQL (+5M downloads/month on PyPI). An unauthenticated attacker can exhaust server resources by opening unlimited subscriptions without triggering any rate limit.
advisory →CVE-2026-34406
Privilege Escalation via mass assignment of is_superuser in APTRS's user edit endpoint. A low-privileged authenticated user can escalate to superuser by sending a crafted request that modifies protected fields.
advisory →CVE-2026-34381
Unauthenticated access to role-restricted documents in Admidio via a neutralized .htaccess file. File access controls were bypassable without any authentication.
advisory →CVE-2026-34382
Missing CSRF protection on custom list deletion in Admidio's mylist_function.php. Allows an attacker to trick authenticated users into deleting arbitrary lists via a forged request.
advisory →CVE-2025-50578
Host Header Injection + Open Redirect in the official Heimdall Docker image (LinuxServer.io). Manipulation of the Host header allows arbitrary redirection of authenticated users.
advisory →CVE-2025-50579
Authentication bypass vulnerability in Nginx Proxy Manager v2.12.3. Reported via MITRE/NVD.
advisory →More research in progress.
Some findings are under coordinated disclosure.
Achievements
Vulnerabilities reported and acknowledged in NASA's Vulnerability Disclosure Program.
Letter of Appreciation - NASA VDP · May 15, 2025
Letter of Appreciation - NASA VDP · May 29, 2025
Adobe Security: Information disclosure of git metadata and Springboot actuator data, responsibly reported and resolved.
Disclosure of git metadata & Springboot actuator info · Adobe · HackerOne
Certifications
Security Chronicles
My NASA Recognition Letter: What's Behind the Achievement
The real story behind receiving an official Letter of Appreciation from NASA's VDP - the research process, responsible disclosure, and what it means in practice.
Bug BountyHow I Passed the eWPTX - And What Actually Matters
A straightforward breakdown of the eWPTXv3 exam: what to study, what to skip, and the techniques that made the real difference on exam day.
CertificationKeccak States & SHA-3: The Power Behind Modern Cryptography
How the sponge construction and Keccak permutation work under the hood - from state matrix to the foundation of SHA-3.
CryptographyRead all posts on Medium →