Skip to content
View herdiyana256's full-sized avatar
🎯
Focusing
🎯
Focusing
2 followers · 16 following

Achievements

Achievement: QuickdrawAchievement: Pair ExtraordinaireAchievement: YOLOAchievement: Pull Shark

Achievements

Achievement: QuickdrawAchievement: Pair ExtraordinaireAchievement: YOLOAchievement: Pull Shark

Highlights

Block or report herdiyana256

Block user

Prevent this user from interacting with your repositories and sending you notifications. Learn more about blocking users.

You must be logged in to block users.

Maximum 250 characters. Please don’t include any personal information such as legal names or email addresses. Markdown is supported. This note will only be visible to you.
Report abuse

Contact GitHub support about this user’s behavior. Learn more about reporting abuse.

Report abuse
herdiyana256/README.md

Hi Everyone! 👋, I'm Herdiyanitdev

🛡️AppSec & DevSecOps Engineer & Security Researcher from Indonesia

HackerOne Profile   Bugcrowd Profile   YesWeHack Profile

🏅 Hall of Fame & Security Achievements

Organization Finding Platform Year
☁️ Nextcloud OCS Share API exposes full Argon2id password hash of password-protected link shares via /ocs/v2.php/apps/files_sharing/api/v1/shares, enabling offline brute-force attacks without rate limiting. YesWeHack 2026
🔐 Keycloak Cross-client token introspection IDOR via /realms/{realm}/protocol/openid-connect/token/introspect any confidential OAuth client can introspect tokens issued to other clients, leaking full PII and session metadata (username, email, sub, roles, session state) without authorization. Fixed in Keycloak 26.6.3. (CVE-2026-37979) YesWeHack 2026
🔬 Google OSS VRP (osv-scanner) Enabled Swift PackageResolved plugin to detect SwiftURL ecosystem CVEs — fixing zero CVE matches for SPM packages previously misidentified as CocoaPods (PR #2801) Google OSS VRP 2026
🔬 Google OSS VRP (osv-scalibr) Ecosystem misclassification fix causing zero CVE matches for Wolfi OS and Chainguard container images Google OSS VRP 2026
🚀 NASA (globe.gov) Information Disclosure on official government platform Bugcrowd VDP 2026
🌐 Google OSS VRP (Angular) Critical vulnerability in CI/CD pipeline affecting widely used open source project Google OSS VRP 2026
🔑 OpenProject Improper Access Control leading to unauthorized cross-project data manipulation (CVE-2026-27722 · GHSA-xw8w-4qxm-g9gv) YesWeHack 2026
📋 OpenProject Authentication logic flaw enabling account compromise YesWeHack 2026
📊 OpenProject Improper Access Control on sensitive reporting module YesWeHack 2026
💳 PayPal Business Logic vulnerability in payment processing workflow HackerOne 2026
🏨 Shiji Group Broken Access Control on enterprise hospitality management platform YesWeHack 2026
📰 Geenius Meedia Multiple Business Logic vulnerabilities across subscription and content delivery systems YesWeHack 2026
🔧 cURL Functional regression in core authentication implementation HackerOne 2026
🎯 YesWeHack Dojo #49 Challenge Winner — exploitation chain achieving restricted file access YesWeHack Dojo 2026
🎯 YesWeHack Dojo #50 Challenge Winner — bypass of security controls with bonus points awarded YesWeHack Dojo 2026

Connect with me:

LinkedIn Instagram

🛡️ Security Tools:

Burp Suite Metasploit Nmap Wireshark OWASP ZAP Nuclei ffuf

⚙️ DevOps & Infrastructure:

Docker Kubernetes Grafana Prometheus Nginx Git Linux AWS

💻 Languages & Web Tools:

React Vue.js Angular Next.js JavaScript TypeScript Go PHP Tailwind Sass Node.js Express Laravel MongoDB MySQL PostgreSQL

Pinned Loading

  1. kotlin-web-site kotlin-web-site Public

    Forked from JetBrains/kotlin-web-site

    The Kotlin programming language website

    JavaScript

  2. angular angular Public

    Forked from angular/angular

    The modern web developer’s platform

    TypeScript

  3. react-nestjs-full-web-app react-nestjs-full-web-app Public

    Forked from ipenywis/react-nestjs-full-web-app

    Full React with Nestjs/Nodejs Web Application deployed on Hostinger with docker and docker-compose

    TypeScript

  4. flutter_apps flutter_apps Public