Independent Security Researcher

I find the vulnerabilities
others overlook.

Specializing in logic flaws, authentication bypasses, and business logic vulnerabilities across modern web applications. No scanners — just deep manual analysis and creative thinking.

View My Work Get in Touch

0 + Critical
Vulnerabilities

— Google Bug Hunters
Leaderboard

— OZiva
Hall of Fame

Logic Flaws· IDOR· Auth Bypass· Race Conditions· Payment Logic· OAuth Abuse· State Machine· SSRF· GraphQL· Privilege Escalation· Logic Flaws· IDOR· Auth Bypass· Race Conditions· Payment Logic· OAuth Abuse· State Machine· SSRF· GraphQL· Privilege Escalation·

About

I think like a developer.
I attack like a researcher.

I'm Vikas Maurya — known online as vikas0vks. I'm an independent security researcher focused exclusively on black-box testing of production web applications.

My approach is simple: I don't rely on automated tools. Instead, I reverse-engineer how developers think — mapping workflows, tracing state transitions, and identifying the assumptions baked into business logic. The vulnerabilities I find are the ones that scanners can't detect.

From authentication flows to payment systems, I specialize in finding high-impact flaws in critical infrastructure — the kind that get classified as Critical and High severity.

Recognition & Proof

Select Achievements

Verified

Google Bug Hunters Leaderboard

Recognized on Google's official Bug Hunters platform for identifying security vulnerabilities in Google products. Listed on the public leaderboard — ranked by reward total.

Verify on Google →

Google Bug Hunters Leaderboard showing Vikas Maurya at #1 for search 'Vikas'

Verified

OZiva Hall of Fame

Listed on OZiva's Responsible Disclosure Program page for identifying and responsibly reporting critical security vulnerabilities in their platform. One of only 12 researchers recognized.

Verify on OZiva →

OZiva Responsible Disclosure Hall of Fame showing Vikas Maurya highlighted

0 + Critical Severity Findings

Across multiple platforms — authentication bypasses, IDORs, payment logic flaws, and business logic vulnerabilities.

Responsible Disclosure

Every vulnerability reported ethically through official channels. No data exposure. No unauthorized access. Full coordination with security teams.

Continuous Research

Studying HackerOne reports, CVE advisories, and patch analysis daily to stay ahead of the curve.

Approach

How I work

Map the Landscape

I categorize every feature across 8 domains — identity, resources, authorization, billing, notifications, search, integrations, and state transitions. Nothing gets overlooked.

Trace Every Workflow

Happy paths, inverse operations, rate limits, state changes, cleanup logic — I map the complete lifecycle of every request before testing anything.

Hunt Assumptions

"Accounts must have at least one org." "Email is always verified first." "Users follow the linear flow." I find these hidden rules — then I break them.

Exploit Systematically

Race conditions on cleanup handlers, state transition abuse, timing windows in async operations, bulk vs single-operation code paths — tested methodically, reported with full reproduction steps.

Contact

Let's work together.

Looking for a security researcher for your platform? I'm available for private bug bounty programs, security assessments, and vulnerability research engagements.

Email mailvikas0vks@gmail.com LinkedIn vikas0vks X / Twitter @vikas0vks GitHub vikas0vks

I find the vulnerabilities others overlook.

I think like a developer. I attack like a researcher.