Available for security consulting & collab

Hi, I'm Jason.
I break things so you don't have to.

WAF Engineer at Walmart. Bug bounty hunter on HackerOne & Bugcrowd. I find vulnerabilities in production systems, harden defenses against real attackers, and teach what I learn through video content.

View work → Get in touch

About

A defender who hunts.

I work as a WAF (Web Application Firewall) Engineer at Walmart, where I tune detection rules at scale — protecting one of the largest e-commerce surfaces on the internet from injection, scraping, and zero-day exploits.

By night, I flip sides. I hunt bugs on HackerOne (as soypapa) and Bugcrowd, focused on logic flaws, RBAC bypasses, and IDORs in SaaS platforms. The reachability mindset I built defending Walmart makes me a better attacker — and vice versa.

I also create content as @PatchMyDay on YouTube and 小红书, breaking down security tools and bounty methodology in under 60 seconds. Currently studying for my BSCP certification while building AI-driven recon and exploitation tooling on the side.

Years AppSec / WAF

$25K+

Bounty Earned

40+

CVEs / Reports

∞

Curiosity

Specialties

What I'm fluent in.

🛡️

WAF Engineering

F5, Akamai, Cloudflare, Imperva. Rule tuning at scale, false-positive triage, log pipeline automation.

🔍

Bug Bounty

RBAC/IDOR hunting on SaaS. HackerOne, Bugcrowd. Stripe top-tier bounty earner.

🤖

AI-Augmented Recon

Multi-agent pipelines. CVE triage with LLMs. Custom Burp extensions in Python/Go.

⚡

Offensive Tooling

Burp Pro, custom fuzzers, blind XSS infra (ezXSS), differential WAF fuzzing.

🐍

Python / Go

FastAPI services, automation, CLI tooling. Self-hosted security infra at scale.

📺

Content Creation

YouTube + 小红书. Bilingual security education. Sub-60-second tutorial format.

Selected Work

Things I've shipped.

Bug Bounty

Stripe RBAC Bypass

Discovered cross-tenant role escalation in Stripe Dashboard via session swap. Full data access across organizations.

$25,000 · HackerOne · 2025

Research

WAF Differential Fuzzing

Built harness to compare F5/Akamai/Cloudflare/Imperva responses to identical payloads. Surfaced bypass primitives across all four.

5 vendor advisories · ongoing

Content

PatchMyDay (@PatchMyDay)

Daily security tool tutorials. "1 Min Productivity Tools" series. Bilingual EN/CN. Mascot-led brand identity.

YouTube · 小红书 · 2025–

Open Source

Hermes Multi-Agent Bot

Production-ready autonomous agent framework. Telegram-native, MCP support, 100+ skills. Powers daily bounty workflow.

Python · async · self-hosted

Bug Bounty

SaaS RBAC/IDOR Methodology

Documented systematic approach to finding access control bugs in commercial SaaS. Published as repeatable skill.

Bugcrowd · multiple programs

Research

Constantine CVE Pipeline

AI-powered open-source CVE hunter. Praetorian-style methodology, automated triage, validated PoCs.

Production · daily runs

Hi, I'm Jason. I break things so you don't have to.

A defender who hunts.

What I'm fluent in.

WAF Engineering

Bug Bounty

AI-Augmented Recon

Offensive Tooling

Python / Go

Content Creation

Things I've shipped.

Stripe RBAC Bypass

WAF Differential Fuzzing

PatchMyDay (@PatchMyDay)

Hermes Multi-Agent Bot

SaaS RBAC/IDOR Methodology

Constantine CVE Pipeline

Let's build something.

Hi, I'm Jason.
I break things so you don't have to.