January 22, 2026 • –––viewsWhen Self-XSS Isn’t Self Anymore: Escalating to Account Takeoverbug-bountyWriteupWebATOXSSHow chaining a self‑XSS with email HTML injection resulted in account takeover.
August 5, 2025 • –––viewsWhen the Price Goes Wrong: $9K from 2 Price Manipulationbug-bountyWriteupWeb2 price manipulation bugs turned into a $9,000 bounty by breaking the application's core logic.