I'm Juan Felipe Oz.

Offensive Security Engineer specialized in web application, API, and mobile penetration testing. Independent Vulnerability Researcher with disclosed CVEs in open source software, NASA recognition, and Burp Suite Champion. I build security tools, break enterprise systems, and publish what i find.

Experience

Offensive Security Engineer, NTT Data

June 2026 - Present (Remote, Colombia)

  • Web, API, and mobile application penetration testing for large enterprise clients across Colombia and LATAM, spanning banking, retail, and critical infrastructure sectors.
  • Advanced exploitation of web vulnerabilities and business logic flaws on Android and iOS applications, REST and GraphQL APIs under PTEST methodology and NIST standards.
  • Embedded offensive security within client DevSecOps pipelines, performing targeted assessments on new modules and components at each CI/CD cycle before they reach production.
  • Security awareness sessions and technical talks bridging the gap between offensive findings and secure development practices within client organizations.

Offensive Security Consultant, KPMG

April 2025 - May 2025 (Bogotá, Colombia)

  • Web and mobile application penetration testing for enterprise clients across financial, healthcare, and government sectors, including major energy corporations.
  • Manual and automated vulnerability assessment: SQLi, XSS, IDOR, SSRF, Business Logic flaws, authentication bypasses, and API security testing.
  • Exploitation of complex vulnerability chains in regulated environments under OWASP and PTES methodologies.
  • Client-facing reporting: translating critical technical findings into executive-level risk impact, with actionable remediation roadmaps.
  • Attack surface analysis and red team collaboration on complex multi-layered infrastructures.

Security Researcher, HackerOne - BugCrowd

June 2023 – Present (Remote)

  • Specialized in identifying critical vulnerabilities using PTES methodology and lateral thinking to solve complex problems with technical creativity.
  • Reported Open Redirect, Subdomain Takeover, and Information Disclosure vulnerabilities in Adobe, NASA VDP, and private programs.
  • Specialized in asset enumeration, web exploitation, and high-impact findings across public and private bug bounty programs.

Ethical Hacker - Siesa

January 2024 – June 2024

  • Analyzed enterprise ERP and CRM software solutions across multiple versions prior to production deployment.
  • Conducted penetration testing on two internal applications, identifying SQL Boolean Injection and Reflected XSS vulnerabilities with remediation proposals.
  • Contributed to software quality and security analysis, improving operational efficiency and data protection standards.

CVEs • Vulnerability Research

CVE-2026-35526

Denial of Service via unbounded WebSocket subscriptions in Strawberry GraphQL (+5M downloads/month on PyPI). An unauthenticated attacker can exhaust server resources by opening unlimited subscriptions without triggering any rate limit.

advisory →

CVE-2026-34406

Privilege Escalation via mass assignment of is_superuser in APTRS's user edit endpoint. A low-privileged authenticated user can escalate to superuser by sending a crafted request that modifies protected fields.

advisory →

CVE-2026-34381

Unauthenticated access to role-restricted documents in Admidio via a neutralized .htaccess file. File access controls were bypassable without any authentication.

advisory →

CVE-2026-34382

Missing CSRF protection on custom list deletion in Admidio's mylist_function.php. Allows an attacker to trick authenticated users into deleting arbitrary lists via a forged request.

advisory →

CVE-2025-50578

Host Header Injection + Open Redirect in the official Heimdall Docker image (LinuxServer.io). Manipulation of the Host header allows arbitrary redirection of authenticated users.

advisory →

CVE-2025-50579

Authentication bypass vulnerability in Nginx Proxy Manager v2.12.3. Reported via MITRE/NVD.

advisory →

More research in progress.

Some findings are under coordinated disclosure.

Achievements

BugCrowd Logo

Vulnerabilities reported and acknowledged in NASA's Vulnerability Disclosure Program.

NASA Letter of Appreciation 1

Letter of Appreciation - NASA VDP · May 15, 2025

NASA Letter of Appreciation 2

Letter of Appreciation - NASA VDP · May 29, 2025

HackerOne Logo

Adobe Security: Information disclosure of git metadata and Springboot actuator data, responsibly reported and resolved.

HackerOne Report

Disclosure of git metadata & Springboot actuator info · Adobe · HackerOne

Certifications

BSCP [ PortSwigger ]

BSCP Certification

eWPTX [ INE ]

eWPTXv3 Certification

eJPT [ INE ]

EJPT Certification

ACP [ APISec University ]

ACP Certification

Security Chronicles

My NASA Recognition Letter: What's Behind the Achievement

The real story behind receiving an official Letter of Appreciation from NASA's VDP - the research process, responsible disclosure, and what it means in practice.

Bug Bounty

How I Passed the eWPTX - And What Actually Matters

A straightforward breakdown of the eWPTXv3 exam: what to study, what to skip, and the techniques that made the real difference on exam day.

Certification

Keccak States & SHA-3: The Power Behind Modern Cryptography

How the sponge construction and Keccak permutation work under the hood - from state matrix to the foundation of SHA-3.

CryptographyRead all posts on Medium →

Connect with me at