Hi, I'm
Ehtesham Ul Haq
Offensive Security Specialist SaaS & API Security
I identify real, exploitable vulnerabilities in modern applications before attackers do.
Focused on business-critical issues like access control flaws, authentication bypasses, and API vulnerabilities — not low-value findings.
About
I started in bug bounty, but quickly realized most vulnerabilities aren’t about “finding bugs” — they’re about understanding how systems break in real-world scenarios.
Today, I work as a security researcher and consultant, helping startups and SaaS platforms uncover hidden vulnerabilities that automated tools and surface-level testing miss.
I founded The Hidden Finds to focus on what actually matters:
- Real attack scenarios
- Exploitable vulnerabilities
- Business impact
Not checklists. Not noise.
Skills
Work Experience
CEO & Founder
CEO & Founder
The Hidden Finds
.
Full-Time
Sep 2020 to Present
.
4 yrs 5 mos
Karachi Division, Pakistan
Sep 2020 – Present
Security Researcher - Bugcrowd
Security Researcher
Bugcrowd
Freelance
Nov 2018 - Present · 6 yrs 3 mos
Nov 2018 – Present
Security Researcher - HackerOne
Security Researcher
HackerOne
Freelance
Oct 2018 - Present · 6 yrs 4 mos
Oct 2018 – Present
Education
Bahria University
Bahria University
Bachelor's degree, Computer Science
Certifications and Trainings
Lorem ipsum Tester
This is the heading
Lorem ipsum dolor sit amet, consectetur adipiscing elit sed do. Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do Lorem ipsum dolor sit amet, consectetur adipiscing elit.
2019 – Present
Lorem ipsum Tester
This is the heading
Lorem ipsum dolor sit amet, consectetur adipiscing elit sed do. Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do Lorem ipsum dolor sit amet, consectetur adipiscing elit.
2019 – Present
Lorem ipsum Tester
This is the heading
Lorem ipsum dolor sit amet, consectetur adipiscing elit sed do. Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do Lorem ipsum dolor sit amet, consectetur adipiscing elit.
2019 – Present
Bugcrowd Statistics
Ehtesham Ul Haq
HackerOne Statistics
Ehtesham (ehtesham98)
Discover My Blogs
I’ve dedicated countless hours to Bug Bounty Hunting and Penetration Testing, uncovering high-impact vulnerabilities that enhance security. Below are some of my most significant discoveries. For more in-depth insights, check out my latest blogs.
Low Hanging Bugs often pays well
Bugs with Minimal Impact These are vulnerabilities that generally lack significant impact, such as missing security headers, open redirects, or content spoofing. Personally, I don’t focus on these types of issues and wouldn’t recommend prioritizing them in your bug-hunting journey.
Missing Rate Limit on Several Endpoints $1300
In this blog post, I’ll share the journey of uncovering a rate-limit vulnerability on multiple endpoints that ultimately enabled an account takeover. Let’s dive into the details!
UUIDs: A False Sense Of Security
Hi Hunters, would you like to learn about a broken access control vulnerability that I discovered recently for a client.
CLICKJACKING TO OBTAIN LOGIN CREDENTIALS
Hey guys! Hope you all are doing fine. As I was approached by many community members asking to share with them some insights regarding my bounties, so I thought what better way to do it…than doing a write-up.
Add Your Heading Text Here
Some Companies I’ve reported vulnerabilities to and received acknowledgments from
Badges:
Get in Touch
Want to chat? Just send me a message with a direct question on LinkedIn and I’ll respond.
OR
Email me at: ehtesham@thehiddenfinds.com