Authentication
Login, reset flows, session handling, identity checks, and account recovery paths.
Private bug bounty researcher · Bohol, Philippines
Judel Palaca
Web security researcher focused on practical application testing, trust boundaries, and meaningful vulnerabilities in real systems.
I work primarily on private bug bounty engagements and scoped web application reviews, with a strong focus on authentication, access control, business logic, and clear, reproducible reporting.
Web security
Manual testing and practical attack paths
Private bounty
Focused research on real application behavior
Merged PRs
Public open-source work across multiple projects
Scoped reviews
Small engagements with clear reporting
About
Professional focus
I am a private bug bounty researcher with a strong interest in web application security, practical testing, and continuous improvement through hands-on work. My focus is on understanding how applications behave in practice, identifying meaningful weaknesses, and producing reports that are clear enough to reproduce and fix.
Focus Areas
What I look at closely
Access Control
Permission boundaries, role checks, tenant separation, cross-account access, and IDOR-style flaws.
Business Logic
Application workflows, trust assumptions, hidden privilege paths, and practical impact analysis.
Approach
How I work
Manual-first testing
I prefer direct application exploration and realistic exploitation paths over noisy checklist-only testing.
Practical findings
I focus on issues that affect trust boundaries, authorization, workflow integrity, or sensitive data exposure.
Clear reporting
Findings are documented with reproducible steps, concise impact, and straightforward remediation notes.
Security Audits
Scoped web application reviews
I am available for limited-scope web application security reviews with a focus on authentication, access control, account workflows, and business logic issues.
Engagements are intentionally small, clearly scoped, and handled with a practical testing approach.
What I can review
Authentication flows, authorization logic, account management, invitation systems, file access, privilege boundaries, and other common web application attack surfaces.
Typical output
A concise findings report with reproduction detail, impact explanation, and practical remediation guidance for each confirmed issue.
Typical scope
Startup web apps, SaaS panels, admin flows, account systems, and targeted business logic reviews.
Good fit
Small-to-medium web applications, newly launched products, sensitive workflows, and teams needing focused review of real attack surfaces.
Not my focus
Large infrastructure assessments, broad enterprise audits, hardware work, or heavy reverse engineering engagements.
Open Source Contributions
Selected merged public work
I contribute practical improvements to open-source projects, with merged work spanning accessibility, frontend performance, configuration, and code quality.
Rapina
Cleaned up singularize-related dead code warnings and aligned the change with the project’s feature-gated build requirements after review feedback.
View PRAegisFlow
Added configurable max_body_size support to server configuration and
documented the setting for cleaner request size control.
SurfSense
Improved markdown rendering performance by lazy-loading the syntax highlighter only when fenced code blocks are actually rendered.
View PRSurfSense
Improved accessibility by adding proper aria-label and
aria-pressed support to the web search toggle for assistive technology.
Profile
More public work, experiments, small utilities, and contributions are available on my GitHub profile.
Visit GitHubContribution Style
I prefer small, reviewable changes that improve usability, maintainability, performance, and implementation quality in real codebases.
Contact
Get in touch
Available for private security work, scoped web application reviews, and security-related inquiries.