I am Samuel (known in the community as fl3x1nz), an Offensive Security Researcher and Penetration Tester specializing in Web Applications, APIs, and Mobile environments. Since 2019, I have focused on identifying, exploiting, and mitigating complex vulnerabilities in corporate ecosystems, prioritizing manual exploitation and deep architectural analysis over automated scanning.

My methodology is heavily grounded in industry standards such as OWASP (WSTG) and MITRE ATT&CK. I specialize in uncovering business logic errors, OAuth/JWT misconfigurations, and executing dynamic instrumentation (Frida) and reverse engineering (JADX) on Android applications. I also build custom tooling and Caido plugins (Python/JavaScript) to optimize attack workflows and analyze attack surfaces efficiently.

Current Operations

I am an active Bug Bounty Hunter, primarily operating on Intigriti, where I consistently submit high/critical severity reports. My recent research has focused on bypassing modern security controls (WAFs) and securing emerging technologies, including Cloud architectures and AI systems.

Parallel to bug bounty, I provide targeted Security Consulting. This includes conducting AWS Cloud Security Assessments (auditing IAM and S3 misconfigurations for data exposure risks) and executing LLM Penetration Testing, mapping vulnerabilities strictly against the OWASP Top 10 for Large Language Models.

Professional Disclosure & Impact

My approach to vulnerability research is impact-driven, aiming to secure platforms before threats can be weaponized. Notable disclosures and achievements include:

CVE-2026-42195 (draw.io): Discovered and successfully exploited an OAuth Authorization Server Spoofing vulnerability, allowing session hijacking and user impersonation. Managed the full Responsible Disclosure process resulting in a critical patch.

Intigriti Recognition: Ranked in the Top 10 Quarterly Leaderboard (April 2026), with multiple validated High and Medium severity reports involving PII data leaks.

Targeted Assessments: Conducted authorized security assessments and vulnerability disclosures for platforms such as RocketSeat (EdTech platform) and CvPorVaga (AI-driven recruitment SaaS, focusing on Prompt Injection, Sensitive Information Disclosure, and Excessive Agency).

For write-ups, custom exploit development, and technical insights on modern TTPs, check out my Medium or GitHub repositories