Post Job Free
Sign in

Aspiring Application Security Researcher and Student

Location:
Pittsburgh, PA
Posted:
June 07, 2026

Contact this candidate

Resume:

DAVID JOHN DEMCHAK

Pittsburgh, PA ***** 412-***-**** **********@*****.*** linkedin.com/in/david-demchak-7aa921271 U.S. Citizen — available to work within the continental U.S.

PROFESSIONAL SUMMARY

Application-security-focused vulnerability researcher with hands-on experience finding and reporting HIGH- and CRITICAL-severity web and API vulnerabilities across enterprise programs, including findings resolved by IBM (Fortune 100). Bug-class coverage spans OWASP Top 10 — broken access control, SSRF, cryptographic and authentication failures, security misconfiguration, and integrity issues. Skilled at end-to-end testing of OAuth 2.0 / OIDC, SAML, JWT, and session flows, and at writing reproducible, business-impact-driven reports consumed by enterprise security teams. Pursuing a B.S. in Cybersecurity & Information Assurance. TECHNICAL SKILLS

Application Security: OWASP Top 10 (A01 BAC, A02 Crypto, A03 Injection, A07 Auth, A08 Integrity, A10 SSRF); manual web & API testing; authentication / authorization testing; business-logic flaws; CVSS scoring; reproducible PoCs Tools: Burp Suite (proxy, repeater, intruder); HTTP / REST / GraphQL testing; curl, httpx, ffuf, subfinder; Git / GitHub Auth & Identity Protocols: OAuth 2.0 (Dynamic Client Registration, PKCE, client_credentials, authorization_code), OIDC, SAML / SSO, JWT, session, MFA

Programming: Python (scripting & testing harnesses), SQL, PySpark exposure SECURITY RESEARCH EXPERIENCE

Independent Application Security Researcher / Bug Bounty Hunter Self-directed — HackerOne, Bugcrowd, Intigriti, YesWeHack

— December 2025 – Present

Submitted 24 valid vulnerability reports across 11 enterprise bug-bounty programs (IBM, Adobe, Calendly, Mux, MasterClass, Mezmo / LogDNA, Lyft, Fast Retailing / Uniqlo, Galaxy Digital, Deriv, Banco Plata). Includes findings resolved by IBM, a Fortune 100 enterprise — 1 Critical and 1 High accepted, plus a third Critical triaged for remediation. Identified and reported web and API vulnerabilities spanning the OWASP Top 10: Broken Access Control (A01): privilege escalation on a SaaS team-role model (non-Owner Admin); cross-client OAuth token revocation; paywalled-content disclosure via unauthenticated REST endpoint. Server-Side Request Forgery (A10): unauthenticated SSRF in an open-source content-credentials library (Adobe); stored SSRF via webhook subscription leaking Kubernetes pod names, internal IPs, and request signatures (Mux). Authentication & Identity Failures (A07): end-to-end one-click account takeover chained from anonymous OAuth Dynamic Client Registration plus unvalidated redirect_uri (Calendly, Mux, Adobe); asymmetric 2FA flow allowing enrollment without password re-auth (Mezmo); insecure http:// redirect_uri accepted on production Okta client (Galaxy Digital). Cryptographic / Integrity Failures (A02 / A08): unsalted SHA-256 customer hashes exposed via unauthenticated SSO domain enumeration endpoint (Mux); long-lived, replayable guest-pass URLs with no TTL or one-time-use enforcement (MasterClass, 27- month replay window).

Security Misconfiguration & Secret Exposure: 62 valid IBM Cloud service credentials and IBM-employee GitHub Personal Access Tokens leaked in public repositories; IBM-confidential internal Go modules (1,378 files) publicly accessible; hardcoded FedEx commercial token in production JS bundles (Uniqlo / GU); cleartext pipeline-sink credentials returned to low-privilege team members (Mezmo); CSP frame-src bypass via attacker-controlled custom domain (Mux). Other: Subdomain takeover via unclaimed Framer SaaS CNAME (Banco Plata); unauthenticated user-existence enumeration

(Deriv).

Authored reports with reproducible PoCs, CVSS justification, and business-impact narratives — the same "translate finding into stakeholder-actionable risk" skill required by AppSec engineering teams. Operated within program rules of engagement and legal safe-harbor scope across large attack surfaces.

PROJECTS

OIDC / OAuth Identity Platform Lab — Okta Customer Identity Cloud (Auth0) — 2026 Configured an OIDC Single Sign-On web application (redirect URIs, client credentials, grant-type allowlists, JWT), implemented RBAC with a custom role, enforced an MFA (OTP) policy, and reviewed authentication log events — to internalize the OIDC / RBAC / MFA controls my offensive testing targets.

Authentication-Telemetry Analytics (PySpark) — Apache Spark / Spark SQL — 2026 PySpark notebook ingesting ~5,000 synthetic auth events, computing MFA-adoption rate, failed-login risk ranking, anomalous-geo logins, and a 2-sigma anomaly flag. [Notebook: colab.research.google.com/drive/18GbZ6sZJnoXDaFw6MGnFZwXydF5-r15b] EDUCATION & CERTIFICATIONS

B.S., Cybersecurity & Information Assurance (in progress) — Western Governors University — Expected July 2029. Coursework: IT Foundations; Practical Applications of Prompting (generative AI / prompt engineering). CompTIA A+ — 2026



Contact this candidate