Bug Bounty Bootcamp
The Guide to Finding and Reporting Web Vulnerabilities
Web application penetration testing, threat intelligence, and custom tooling — currently studying AI security.





The Guide to Finding and Reporting Web Vulnerabilities
Selected builds documented with their purpose, security decisions, and remaining risks.
AI Engineer · System Architect · AI-powered math learning platform
Student and admin web apps share a central API. Interactive tutoring streams through an internal RAG service, while quiz generation runs as durable background jobs. The platform separates primary records, private files, transient state, and retrieval data.
Course material enters model context after hybrid retrieval and optional reranking, so uploaded content remains an attack surface.
The backend verifies session ownership for chat and administrator authorization for ingestion before proxying to the internal AI service.
Quiz jobs are recorded before dispatch; workers fetch current job state and report results through the backend.
Administrative ingestion is size- and type-checked before document processing and retrieval indexing.
Scrum Master · Full-Stack Developer · University course project · team delivery
A gated-community platform: admins approve residents and manage houses, guards log visitors in and out at the gate, and everyone gets real-time notifications. I ran the sprints and built the access-control core.
New residents stay pending with no data access until an admin approves them; signing up alone does not grant access.
Admin, resident, and guard see different dashboards — but the UI is just a mirror. Every backend route re-checks the caller's role, so hiding a button never counts as security.
House and visitor records are looked up through the caller's own identity, not a raw ID from the request — guessing another house number gets you a 403, not a neighbor's visitor log.
Real-time notifications are room-scoped to the authenticated user. A guard's gate events push to that village only — the socket layer trusts the session, never the client's claim.
Open to Product Security, Application Security, and Penetration Testing roles in Bangkok, Chiang Mai, or remote. Focused on securing applications across the development lifecycle — from secure design and development through testing and remediation.