z3rco Algeria

Junior Security Researcher · Source Code Auditor

z3rco

About

I'm a security researcher specialized in finding critical vulnerabilities in production web applications. My work spans content management systems, finance platforms, SaaS products, and hosting infrastructure — the kind of software that businesses bet their operations on.

I've been assigned multiple CVEs against widely-deployed platforms, ranging from high-severity IDOR chains through GraphQL APIs to CSRF bypasses in security-critical admin workflows. These aren't theoretical — they affected real deployments at scale.

My approach is manual, source-driven testing. I read code, map logic, and find the flaws that automated tools don't catch — broken access controls, authentication bypasses, API authorization gaps, and chained exploits that turn low-severity issues into full data exposure. Every report I submit includes a working proof of concept, CVSS scoring, and actionable remediation.

I work through bug bounty programs and independent research, and I've been ranked among the top-paid researchers on active bounty platforms. If your application handles user data, payments, or access control — I'll find what your pentest missed.

Responsible disclosure. Always.

Skills

Offensive

Web App Pentesting
API Security
Source Code Review
GraphQL Exploitation
Access Control Testing
CSRF / SSRF
Auth Bypass
IDOR Hunting

Languages & Tooling

Python Python
Bash Bash
JavaScript JavaScript
C C
C++ C++
C# C#
Rust Rust
Zig Zig
Go Go
Java Java
Kotlin Kotlin
PHP PHP
MySQL MySQL
Linux Linux

Domains

CMS Platforms
SaaS Products
Fintech
Hosting Infra

Notable Findings

CVE-2026-28696 High · CVSS 7.5

Craft CMS

IDOR via GraphQL @parseRefs directive — unauthenticated access to sensitive attributes of any element in the CMS, bypassing all authorization checks. Full PII enumeration, server path disclosure, and database query as system user.

CVE-2025-68436 Medium · CVSS 6.5

Craft CMS

Information disclosure via unchecked asset relocation — authenticated users could expose sensitive assets through maliciously crafted requests targeting user profile photos.

CVE-2026-2994 Medium · CVSS 6.8

Concrete CMS

CSRF in Anti-Spam Allowlist Group Configuration — changes saved prior to CSRF token validation, allowing a rogue administrator to manipulate the group_id parameter and bypass security checks.

Blogs

I Bypassed Firefox's Battery API Block Using CPU Timing 2026-04-05

Firefox removed the Battery API for privacy. I found a way to infer battery state anyway — using nothing but JavaScript timing measurements.

Contributions

merged GitHub Apr 7

Fix blue channel ignored in fg_override contrast check

kovidgoyal/kitty#9820
merged GitHub Apr 3

Fix timing, memory safety, and tar extraction vulnerabilities

kovidgoyal/kitty#9802

Get in Touch

Need a security assessment? Found my work through a bounty platform? Want to collaborate on research? Reach out.

Email X GitHub