$ cat about.md

Sheraz Khalid, offensive security.

I'm an offensive security consultant with six years of hands-on experience across web apps, APIs and mobile. I find the vulnerabilities that actually matter, prove how far they'd go, and help fix them. I've hunted on Bugcrowd and Synack since 2020, and that constant exposure to how real systems break feeds straight into the work I do for clients. For me this has always been more passion than profession, the kind of work I'd be doing anyway.

450+
Valid bugs
#167
Bugcrowd · worldwide
#1
Bugcrowd PK · crit/high
6+
Years
3
Published CVEs
01experience
2023 — present
Gulf Business Machine (GBM)
Cyber Security Consultant
  • Lead and deliver end-to-end VAPT projects across web apps, APIs, mobile apps and IP infrastructure.
  • Collaborate on phishing simulations and red team engagements.
  • Primary point of contact for clients, from scoping through delivery.
  • Translate risk into clear reports and guide remediation efforts.
2019 — present
Bugcrowd
Bug Bounty Hunter · profile
  • 400+ valid submissions across public and private programs.
  • Ranked #1 in Pakistan for critical and high severity findings.
  • Specialize in high-impact issues: XSS, IDOR, SQLi and authentication flaws.
  • Multiple Hall of Fame mentions and program-specific recognitions.
2021 — 2023
Synack
Synack Red Teamer
  • Private, high-impact security assessments across enterprise assets.
  • Reported vulnerabilities with detailed proof of concept through the Synack platform.
  • Maintained a strong acceptance rate on high-signal research.
02skills
Web & API
Burp Suite, Caido, ffuf, sqlmap, nuclei, custom fuzzing
Mobile · Android / iOS / HMS
Frida, Objection, MobSF, SSL pinning bypass
Active Directory
BloodHound, Impacket, NetExec, ADCS abuse, Kerberoasting
Network & Infra
nmap, ligolo-ng, pivoting, privilege escalation
Automation
AI-Automation, Flask dashboards, recon pipelines
Googling
Plus an unreasonable amount of it, Stack Overflow, and the docs
03certifications & research
certifications

CRTP

Certified Red Team Professional, Altered Security. Active Directory exploitation from a red teamer's perspective. View certificate →

OSCP

Offensive Security Certified Professional, currently in progress.

published cves
CVE-2020-28722 CVE-2021-36695 CVE-2021-36696
04recognition
Top 5
all-time, in Pakistan on Bugcrowd
MVP
at Bugcrowd, across multiple quarters
Top 10
on the Bugcrowd monthly leaderboard globally, January 2024
Hall of Fame
across major global programs
05education
2016 — 2018
University of Central Punjab
ADP, IT Management
  • Combined IT and business management with a focus on real-world, project-based learning.