Shobhit Srivastava

01 / About

Who I Am

Cybersecurity professional at the intersection of offensive security and real-world impact. Nearly five years of hands-on penetration testing, six years hunting bugs across top programs.

At Net Square Solutions, I led full-lifecycle security engagements for India's top banking institutions. At Google Bug Hunters, ranked globally under #200 — discovering critical flaws across web, API, and Android surfaces.

Founder and owner of HackerOnce, a web and mobile security company delivering VAPT services to 10+ clients across startups and enterprises. Building a team and reputation for impact-driven security research.

Delivered a talk on "Attacking GraphQL in Web Applications" at NS Conclave 2024 and built the accompanying CTF challenge. I break things responsibly and teach others to defend better.

LocationBengaluru, India

Emails*****t@gmail.com 👁

Phone+91 ••••••4294 👁

EducationB.E. CSE — SMVDU

CertOSCP (pursuing)

StatusAvailable for roles

02 / Experience

Where I've Operated

FOUNDER

Founder & Owner

HackerOnce ↗ · Web & Mobile Security

2024 — Present

Bengaluru, India

Founded and own HackerOnce — a boutique security company specializing in web and mobile application security for startups and enterprises.
Serving 10+ clients with end-to-end VAPT engagements covering web apps, mobile (Android/iOS), APIs, and network infrastructure.
Manage the full engagement lifecycle: scoping, NDA, testing, reporting, remediation validation, and client communication.
Built a reputation for high-quality, actionable security reports with a strong focus on business impact and real-world exploit chains.
Services include: Web App VAPT, Mobile VAPT, API Security, Network Penetration Testing, and Security Consulting.

Security Researcher

Google Bug Hunters

May 2025 — Present

Remote

Ranked globally under #200 on the Google Bug Hunters leaderboard through consistent, high-impact discoveries.
Identify and validate vulnerabilities across Google products via systematic manual and automated testing.
Specialize in XSS, CSRF, SQLi, OAuth misconfigs, access control flaws, privilege escalation, and OWASP Top 10.
Security assessments of web apps, REST/GraphQL APIs, Android components, and Google AI products.
Deliver PoCs with clear technical explanations aligned with responsible disclosure standards.

Senior Security Analyst

Net Square Solutions Pvt. Ltd.

Apr 2022 — Apr 2025

Ahmedabad, India

Conducted VAPT for top Indian and international banking firms — web apps, APIs, Android, and network.
Led the full pentest lifecycle: scoping, threat modeling, exploitation, PoC, and report presentation.
Performed SAST using SonarQube and Checkmarx; DAST using Burp Suite Pro and custom Python scripts.
Developed a CTF challenge for NS Conclave 2024 and delivered a talk on "Attacking GraphQL in Web Applications."

Test Engineer — Security

Epitome Technologies Ltd.

Dec 2018 — Mar 2021

Mohali, India

Performed web application, API, Android, and network penetration tests across client modules.
Documented OWASP Top 10 vulnerabilities with reproducible PoCs, improving client security posture.

03 / Arsenal

Technical Skills

🕸️

Web Pentest

XSSSQLiSSRFCSRFSSTIXXEIDORJWTOAuthSmuggling

📱

Mobile Security

Android VAPTiOSMobSFFridaSSL BypassMASVSAPK Reverse

🔌

API & Network

RESTGraphQLNetwork VAPTActive DirectoryNmapMetasploit

🛠️

Tools

Burp Suite ProsqlmapSonarQubeCheckmarxTurbo Intruderjwt_tool

💻

Programming

PythonJavaScriptAngular.jsBashMySQLMongoDB

☁️

Cloud & Infra

AWSActive DirectoryCloud SSRFSAST / DASTInternal Pivot

04 / Bug Bounty

Hall of Recognition

Google Bug Hunters

Global Rank < #200 · Google VRP

Consistently identifying high-impact vulnerabilities across Google's web, API, Android, and AI surfaces. Strong PoC documentation with responsible disclosure.

XSSCSRFSSRFGraphQLAndroidOAuth

HackerOne

Active Researcher · Multiple Programs

Valid findings across Shopify, GitLab, Acronis and more. Reports consistently triaged as valid with high signal-to-noise ratio and CVSS-scored documentation.

ShopifyGitLabAcronisIDORPrivesc

Core Specialties

Auth Flaws · ATO Chains

Deep expertise in authentication and authorization flaws. Skilled at chaining low-severity findings into critical-impact exploits — JWT algorithm confusion, OAuth ATO, race conditions.

JWT BypassOAuth ATORace ConditionsCache Poisoning

Total Earnings

Combined · All Programs

$120,000 USD

Earned across Google VRP, HackerOne programs, and private programs over 6+ years of active bug bounty hunting.

md5("120000") = 5344237ad06253d47cee9a4c091aa663
base64("120000") = MTIwMDAw

Google VRPHackerOne6+ Years

05 / Setup