Ashfaque Jahan

Penetration Tester, Bug Bounty hunter

I hunt bugs and secure digital experiences for the internet

I'm a cybersecurity enthusiast dedicated to building secure, resilient digital infrastructures capable of withstanding modern threats. My passion lies at the intersection of offensive security and defense-in-depth strategies—uncovering vulnerabilities not just to expose weaknesses, but to strengthen systems against real-world attacks.

I served as a Junior Penetration Tester at Fetlla, for six months where I specialize in web application and Android application security. I conduct comprehensive security assessments, identify vulnerabilities, and provide actionable insights to ensure our clients' platforms meet industry standards and deliver secure, reliable user experiences.

My journey into cybersecurity has been shaped by hands-on experience across diverse environments—from bug bounty platforms and CTF competitions to formal labs and certifications. These experiences have equipped me with a well-rounded understanding of attacker methodologies and defensive strategies.

In my spare time, I stay engaged with the latest security research, participate in bug bounty programs, and explore creative techniques for bypassing security controls.

  1. 2025 Mar — 2025 Sep

    Junior Penetration Tester · Fetlla

    Conduct comprehensive penetration testing on web applications, Android applications, APIs, and network infrastructure. Identify and exploit security vulnerabilities using industry-standard methodologies. Create detailed reports with proof-of-concepts and remediation recommendations. Collaborate with development teams to implement security fixes and best practices.

    • Burp Suite
    • Python
    • Bash
    • Nmap
  2. 2023 — PRESENT

    Independent Bug Bounty Hunter

    Actively participate in public and private bug bounty programs on platforms like HackerOne, Bugcrowd and yeswehack. Proactively discover and report security vulnerabilities in web applications and Android applications. Develop proof-of-concept exploits and write clear, concise vulnerability reports with actionable remediation steps, contributing to the enhancement of real-world application security.

    • Web Hacking
    • Vulnerability Discovery
    • Report Writing
    • Proof-of-Concept
    • Business logic Bugs
    • Reconnaissance
  1. 2025

    Recon Badge · PentesterLab

  2. 2024

    Certified AppSec Practitioner (CAP) · The SecOps Group

  3. 2023

    Practical Ethical Hacking · TCM Security

  4. 2022

    Certified Penetration Tester · RedTeam Hacker Academy

  1. Web Application Security

    Expert in identifying OWASP Top 10 vulnerabilities, conducting manual testing, and using automated tools to assess web application security posture.

  2. Network Penetration Testing

    Proficient in network reconnaissance, vulnerability scanning, exploitation, and post-exploitation techniques using industry-standard tools.

  3. Security Reporting

    Strong technical writing skills for creating comprehensive penetration testing reports with clear remediation steps for technical and non-technical audiences.

  4. Android Application Security

    Proficient in testing Android applications for common vulnerabilities like insecure data storage, broken cryptography, insecure communication, and client-side injection. Experienced with static and dynamic analysis tools and methodologies specific to mobile security.

  5. Vulnerability Research & Disclosure

    Adept at independently discovering security flaws in various systems and applications. Skilled in developing proof-of-concept exploits and adhering to responsible disclosure practices to ensure timely and effective remediation of identified vulnerabilities.

  6. AI-Assisted Scripting & Automation

    Leveraging AI tools to enhance scripting for automation, task streamlining, and personal security-related projects. Focused on developing efficient command-line utilities and workflows.

Projects & Write-ups

  1. 2024 SEPTEMBER

    Hack Havoc CTF Write-up: Solutions

    Detailed write-up covering multiple challenges from the "Hack Havoc" CTF hosted by CyberMaterial. This entry showcases a diverse range of cybersecurity skills, including:

    • Web Exploitation: Identifying and exploiting vulnerabilities like directory traversal, command injection, and Server-Side Template Injection (SSTI).
    • OSINT (Open-Source Intelligence): Leveraging social media, public records, and image analysis to gather crucial information and solve puzzles.
    • Cryptography: Deciphering various encoding and encryption schemes (e.g., Base58, Base64, Base92, ROT47, XOR, Trithemius cipher, Braille ASCII, Maritime Signal Code).
    • Reverse Engineering: Analyzing binary files, decompiling Python bytecode, and extracting hidden flags from obfuscated code and data.
    Each solution details the methodology, tools used, and the thought process involved in overcoming the challenge.

    • CTF
    • Web Exploitation
    • OSINT
    • Cryptography
    • Reverse Engineering
    • Vulnerability Research
    • Python
    • JavaScript
    • Linux
    • Burp Suite
    • ffuf
    • dcode.fr
    • Binary Analysis

Security Achievements

Screenshots and highlights from my cybersecurity journey

Security Achievement

First Bounty

First bounty For finding security issue

2023
Security Achievement

2500$ Bounty

Four digit bounty

2024
Security Achievement

Bounty From Yeswehack

API requests from a deleted YesWeHack account remain valid

2025
Security Achievement

Hackerone recognition

Hackerone recognition for finding critical Bug

2024

Resume

View my complete professional background and experience.

View Resume (PDF)

Opens in Google Docs viewer

Get in Touch

Have a question or want to discuss a project? Feel free to send me a message!

Achievement