Sheraz Khalid

Bug Bounty Hunter
Offensive Security Engineer

👋 Welcome to My Blog

I'm a Cybersecurity Consultant with over 5 years of hands-on experience securing web applications, APIs, and digital infrastructure. I collaborate with companies to identify and remediate realworld vulnerabilities through focused VAPT engagements.
Outside of client work, I stay sharp through bug bounty hunting, and CTFs.
This blog is where I share my journey from bug bounty write-ups and CTF walkthroughs to lessons learned during assessments.
Thanks for stopping by, feel free to explore, learn something new, and reach out if you’d like to connect.

  • Age 27
  • Residence Islamabad, Pakistan
  • e-mail daimbutt70@gmail.com

What I Do

Cyber Security Consultancy

I help clients secure their web apps, APIs, mobile apps, and infrastructure through focused VAPT. Each project is handled with real attacker mindset and practical insights.

Bug Hunting

Actively hunting bugs on Bugcrowd in my free time. It keeps me sharp and up to date with real-world vulnerabilities.

Blogging

I write about interesting findings, real-world cases, and personal experiences in security — hoping it helps others in the field learn something useful.

CTF Player

I regularly play CTFs and solve HTB machines to explore new techniques, sharpen my skills, and stay hands-on with exploitation.

Progress Reports

Valid Reports

400+

Hall of Fames

50+

Experience

5+ Years

Career Objective

To contribute meaningful value through cybersecurity consultancy and ethical hacking, helping organizations identify and fix real world security flaws across web, mobile, network, and infrastructure layers. Cybersecurity is not just a profession for me, it’s a passion that fuels my continuous growth through client work, bug bounty hunting, and practical exploration of offensive security.

Resume

Education

2016 - 2018
University of Central Punjab

ADP IT Management

The program brings together key elements of IT and business management. With a strong focus on real-world projects and hands-on learning, it prepares students to tackle modern business challenges using practical technology solutions.

Experience

2023 - Present
Gulf Business Machine (GBM)

Cyber Security Consultant

  • Led and delivered end-to-end VAPT projects covering web apps, APIs, mobile apps, and IP infrastructure.
  • Collaborated with teammates on phishing simulations and red team engagements.
  • Acted as a primary point of contact for clients — from scoping to delivery.
  • Helped clients understand risk reports clearly and guided them in remediation efforts.
  • Ensured timely delivery of assessments with actionable recommendations.

2019 - Present
Bugcrowd

Bug Bounty Hunter

  • Actively hunting security vulnerabilities since 2019 — here’s my profile
  • Reported 390+ valid bugs across multiple private and public programs
  • Earned over 3,100 reputation points and currently ranked #174 worldwide
  • Specialize in identifying high-impact issues such as XSS, IDOR, SQLi, and authentication flaws
  • Received multiple Hall of Fame mentions and program-specific recognitions

2021 - 2023
Synack

Synack Red Teamer

  • Conducted private, high-impact security assessments across various enterprise assets
  • Identified and reported vulnerabilities with detailed PoCs through the Synack platform
  • Maintained a strong acceptance rate and contributed to high-signal research efforts

Certifications

2025 - 2028
Altered Security

CRTP (Certified Red Team Professional)

Focused on Active Directory exploitation techniques from a red teamer's perspective.
View Certificate

Research

2020 - Present
Personal / Community

Published CVEs

Published multiple CVEs for vulnerabilities identified in third-party software:

Pentesting Skills

Web Application Pentesting

85%

API Pentesting

70%

Network Pentesting

60%

Active Directory Pentesting

40%

Coding / Other Skills

Bash

65%

Python

45%

HTML/CSS

50%

Linux

75%

Googling

100%

Tools

  • Burp Suite
  • SQLMap
  • FFUF
  • Metasploit
  • Linux
  • Wireshark
  • BloodHound
  • CrackMapExec
  • Impacket


Acknowledgement


  • Ebay
  • Fedex
  • Dell
  • Under Armour
  • Wise
  • Indeed
  • Upwork
  • Bugcrwd


    • Achievement


    • Bugcrowd MVP - Multiple quarters
    • Top 10 on Bugcrowd Leaderboard - January 2024
    • CRTP
    • Ranked #174 Globally on Bugcrowd

Portfolio

SoundCloud Audio

SoundCloud Audio

SoundCloud
Media Project 2

Detailed Project 2

Detailed
Vimeo Video 1

Vimeo Video 1

Vimeo Videos
Media Project 1

Detailed Project 1

Detailed
Mockup Design 1

Mockup Design 1

Mockups
YouTube Video 1

YouTube Video 1

YouTube Videos

Blog

Account Takeover
Why I Switched to Sketch For UI Design

Account Takeover by Chaining Two IDORs
SSTI
Best Practices for Animated Progress Indicators

SSTI to Local File Read
Stored XSS
Designing the Perfect Feature Comparison Table

Account Takeover via Stored XSS
AWS S3 Bucket Misconfig
An Overview of E-Commerce Platforms

From Finding AWS S3 Bucket to Sensitive Data Exposure
See All Posts

Contact

San Francisco

415-832-2000

alex@example.com

Freelance Available

How Can I Help You?