Security advisories.

A double-slash bypass in the export URL handler allowed unauthenticated callers to enumerate data behind authenticated event endpoints. I confirmed the scope by enumerating across all public events and measuring the unique-email count — not to exfiltrate, but to give the vendor a credible exposure number in the GDPR-aligned breach report I provided alongside the technical write-up.

The vendor patched within 24 hours and adopted HMAC-signed export URLs. A notable downstream consequence: after I shared the findings inside a closed Forbes 30 Under 30 group, Facebook’s Associate General Counsel contacted me — not because Facebook was vulnerable, but because Facebook employee accounts were among the exposed emails. Full technical write-up published on Medium.

I identified that the TED AI app was inadvertently leaking user data through an access-control gap. I reported the finding through the appropriate channel and was subsequently banned from the platform rather than acknowledged. The point of this entry is not the outcome — it is that the disclosure process itself was documented in public, in real time. Future organizers should know that proactive findings about their platform are worth treating as collaborators bring them, not adversaries.