I'm Sim4n6 — a solo ethical hacker working under the SecurityBugFocus name. I run vulnerability research and bug bounty engagements against web applications, CI/CD pipelines, and modern AI/MCP stacks. 37 CVEs disclosed across GitLab, NVIDIA NeMo, DataDog, MindsDB, Plane, MobSF, Caido, and a long tail of open-source software since 2022.
Manual pentest of your web app, API, or GraphQL endpoint — focused on the bug classes I actually find: authorization, input handling, parser confusion, and the edge cases your scanner missed.
GitHub Actions, GitLab CI, build-pipeline integrity, secret-handling, and the long tail of injection paths through your release process. Where I've found a Critical command-execution before.
Custom CodeQL queries written for your codebase, with taint tracking from real attacker-controlled sources to the sinks that matter. Findings come with working PoCs, not theory.
Prompt injection, tool-call abuse, agent authorization, and MCP server boundary review — the security model nobody got around to specifying yet, looked at by someone who's actually built one.
You found something — or someone reported it to you — and now you need help. I write the advisory, coordinate with vendors and CNAs, request the CVE, draft the patch notes, and run the disclosure timeline so it lands cleanly. I've shipped 37 of these. Yours will be number 38.
tarfile.extractall()shutil.unpack_archive()The complete list — every CVE, every advisory, with year-by-year detail and severity breakdown — lives in my GitHub profile and is updated as disclosures land.
↗ FULL LIST · github.com/sim4n6A short field guide to why a TTL-window race against your own DNS resolver beats most 'block private IPs' controls, drawn from cases against MobSF, MindsDB, and a recent GitLab importer.
Filenames, email addresses, identifiers — anywhere user input gets normalised after a length check, the multiplier between bytes-in and bytes-out becomes a denial-of-service primitive. Three case studies.
SecurityBugFocus is a one-person practice. There's no agency behind me, no junior consultants quietly running the engagement. When you book me, you get me — the same person whose name is on those 37 advisories.
I've spent the last several years finding and disclosing vulnerabilities in software people actually use — GitLab, NVIDIA NeMo, DataDog tooling, MindsDB, Plane, MobSF, OctoPrint, Gogs, NVIDIA Frigate, and a long tail of open-source projects in the supply chain. Every disclosure has been responsible: vendor first, CVE assigned, patch shipped before public detail.
The work I take on is the work I'm good at: deep technical review of web applications, CI/CD pipelines, and the new AI/MCP attack surface. I write CodeQL queries, I read source, I run the exploit. If a finding can't be exploited under realistic conditions, I don't pad the report with it.
Engagements start with a 30-minute call to scope the work, agree the rules-of-engagement, and decide whether I'm the right person for the job. No pitch decks. Email below.
Response time: typically within 48 hours, Tangier working hours (UTC+01). For new engagements, please include a short description of the target, the desired scope, and your timeline. Bug-bounty advisory questions and disclosure-coordination requests welcome.