About

Rhyru9

I'm a bug bounty hunter and security researcher specializing in web application security, API testing, and vulnerability discovery. Focused on responsible disclosure and helping organizations build more secure systems.

About Me

I hunt vulnerabilities through responsible disclosure programs. My focus is on finding security flaws in web applications and APIs — from critical authentication bypasses to business logic vulnerabilities that could impact user security.

My approach combines systematic testing methodologies with creative problem-solving. Security research isn’t just about running automated tools — it’s about understanding application logic, identifying edge cases, and thinking like both a developer and an attacker.

When I’m not testing applications, I’m learning new techniques, contributing to the security community, and documenting my findings through technical writeups.

What I Do

Currently focused on:

Bug Bounty Hunting — Finding and responsibly disclosing vulnerabilities through platforms like HackerOne and YesWeHack
Security Research — Exploring web application vulnerabilities, API security flaws, and authentication mechanisms
Technical Documentation — Writing detailed vulnerability reports and security advisories
Continuous Learning — Participating in CTF competitions and security training platforms

Highlights

200+

valid vulnerabilities discovered

Hall of Fame recognitions

10+

government certificates

Specializations

Web Application Security
XSS, SQL Injection, Authentication Bypass, Authorization Issues, SSRF, XXE, IDOR, Business Logic Flaws

API Security
REST/GraphQL API testing, Authentication mechanisms, Authorization flaws, Rate limiting issues

Security Research
Vulnerability discovery, Exploit development, Security tool automation, Technical writeups

Responsible Disclosure
Working with security teams, Writing comprehensive reports, Following coordinated disclosure practices

Recent Writeups

Unauthorized Access to PII via User Search on BDF Website

January 5, 2026

Discovered a critical broken access control vulnerability in bdf.belgium.be that exposed sensitive user information i...

Framer Subdomain Takeover: A Complete Guide

February 2, 2025

Learn how to identify and perform a takeover of unclaimed Framer subdomains, such as *.framer.website, to demonstrate...

From Subdomain Enum to GraphQL DoS: A Bug Hunter's Journey

March 21, 2024

A journey from basic subdomain enumeration to discovering a critical GraphQL denial-of-service vulnerability. What st...

Self-XSS Reveals S3 Bucket Domain - 12K+ Chat Sessions Exposed

March 9, 2024

A self-XSS in an AI support chat led me to test document.domain, which unexpectedly revealed an S3 bucket. This disco...

View all writeups →

Recognition

I’ve been recognized in Hall of Fame programs by:

Belgium Government — CCB Belgium
BlackBerry — Security Acknowledgment
Ferrari — Responsible Disclosure Programme
Airship — Security Recognition
Vidio — Bug Bounty Program

View complete list of achievements and certificates here.

Contact

Interested in security collaboration or have questions about vulnerability disclosure? Feel free to reach out:

Email: reyhansyah4@gmail.com
Twitter: @rhyru9
GitHub: rhyru9
HackerOne: rhyru9
YesWeHack: rhyru9

Open to security research collaborations and responsible disclosure opportunities.