Sheraz Khalid

Bug Bounty Hunter
Offensive Security Engineer

πŸ‘‹ Welcome to My Blog

I'm a Cybersecurity Consultant with over 6 years of hands-on experience in offensive security, covering web applications, mobile apps, APIs, and Active Directory environments. I work with companies to find and fix real-world vulnerabilities through focused VAPT engagements, bringing an attacker's mindset to every assessment.

Since 2020, I've been actively hunting bugs on Bugcrowd, where I currently rank #1 in Pakistan for critical and high severity findings and hold a 164th global ranking. That experience feeds directly into my consulting work at GBM, where I've been delivering end-to-end security assessments since 2023.

This blog is where I document the journey, bug bounty write-ups, CTF walkthroughs, and things I've picked up along the way. If something here helps you, that's the whole point.

Feel free to explore, and reach out if you'd like to connect or work together.

  • Age 28
  • Residence Islamabad, Pakistan
  • e-mail daimbutt70@gmail.com

What I Do

Cyber Security Consultancy

I help clients identify and fix real-world security flaws across web apps, APIs, mobile apps, and infrastructure. Every engagement is driven by a genuine attacker mindset, not just a checklist.

Bug Hunting

Ranked #1 in Pakistan for critical and high severity findings on Bugcrowd, with 400+ valid bugs and a top 200 global ranking. It keeps me sharp and connected to how vulnerabilities actually look in the wild.

Blogging

I write about real vulnerabilities, CTF walkthroughs, and lessons from actual engagements. If something I've figured out the hard way saves you time, that's a win.

CTF Player

I regularly work through HTB machines, OffSec Proving Grounds labs, and CTFs to stay hands-on with real exploitation techniques. It's where I test new attack paths and sharpen skills that feed directly into client work.

Progress Reports

Valid Reports

400+

Hall of Fames

50+

Experience

6+ Years

Career Objective

My goal is to help organizations find and fix the security flaws that actually matter, across web, mobile, APIs, network, and infrastructure. Cybersecurity is not just a profession for me. It's what I genuinely enjoy, and that curiosity drives everything from client engagements to late night lab sessions and bug bounty hunting.

Resume

Education

2016 - 2018
University of Central Punjab

ADP IT Management

The program brings together key elements of IT and business management. With a strong focus on real-world projects and hands-on learning, it prepares students to tackle modern business challenges using practical technology solutions.

Experience

2023 - Present
Gulf Business Machine (GBM)

Cyber Security Consultant

  • Led and delivered end-to-end VAPT projects covering web apps, APIs, mobile apps, and IP infrastructure.
  • Collaborated with teammates on phishing simulations and red team engagements.
  • Acted as a primary point of contact for clients β€” from scoping to delivery.
  • Helped clients understand risk reports clearly and guided them in remediation efforts.
  • Ensured timely delivery of assessments with actionable recommendations.

2019 - Present
Bugcrowd

Bug Bounty Hunter

  • Actively hunting security vulnerabilities since 2019 β€” here’s my profile
  • Reported 390+ valid bugs across multiple private and public programs
  • Earned over 3,100 reputation points and currently ranked #174 worldwide
  • Specialize in identifying high-impact issues such as XSS, IDOR, SQLi, and authentication flaws
  • Received multiple Hall of Fame mentions and program-specific recognitions

2021 - 2023
Synack

Synack Red Teamer

  • Conducted private, high-impact security assessments across various enterprise assets
  • Identified and reported vulnerabilities with detailed PoCs through the Synack platform
  • Maintained a strong acceptance rate and contributed to high-signal research efforts

Certifications

2025 - 2028
Altered Security

CRTP (Certified Red Team Professional)

Focused on Active Directory exploitation techniques from a red teamer's perspective.
View Certificate

Research

2020 - Present
Personal / Community

Published CVEs

Published multiple CVEs for vulnerabilities identified in third-party software:

Pentesting Skills

Web Application Pentesting

85%

API Pentesting

70%

Network Pentesting

60%

Active Directory Pentesting

40%

Coding / Other Skills

Bash

65%

Python

45%

HTML/CSS

50%

Linux

75%

Googling

100%

Tools

  • Burp Suite
  • SQLMap
  • FFUF
  • Metasploit
  • Linux
  • Wireshark
  • BloodHound
  • CrackMapExec
  • Impacket


Acknowledgement


  • Ebay
  • Fedex
  • Dell
  • Under Armour
  • Wise
  • Indeed
  • Upwork
  • Bugcrwd


    • Achievement


    • Bugcrowd MVP - Multiple quarters
    • Top 10 on Bugcrowd Leaderboard - January 2024
    • CRTP
    • Ranked #174 Globally on Bugcrowd

Portfolio

SoundCloud Audio

SoundCloud Audio

SoundCloud
Media Project 2

Detailed Project 2

Detailed
Vimeo Video 1

Vimeo Video 1

Vimeo Videos
Media Project 1

Detailed Project 1

Detailed
Mockup Design 1

Mockup Design 1

Mockups
YouTube Video 1

YouTube Video 1

YouTube Videos

Blog

Account Takeover
Why I Switched to Sketch For UI Design

Account Takeover by Chaining Two IDORs
SSTI
Best Practices for Animated Progress Indicators

SSTI to Local File Read
Stored XSS
Designing the Perfect Feature Comparison Table

Account Takeover via Stored XSS
AWS S3 Bucket Misconfig
An Overview of E-Commerce Platforms

From Finding AWS S3 Bucket to Sensitive Data Exposure
See All Posts

Contact