1. clairvoyance obtain GraphQL API schema despite disabled introspection! Made in collaboration with @itsaturov
  2. pwnhub how GitHub Actions workflows can be hacked. Made in collaboration with Artem Mikheev, Danila Stupin, @itsaturov, and @0ang3el
  3. orgs-data a mapping from bug bounty and vulnerability disclosure programs to respective GitHub organizations


  1. “Bug Hunting in Smart-Contracts: Where to Begin”
    • VolgaCTF 2022, Online. Slides: EN.
  2. “Client-side JavaScript prototype pollution” (made in collaboration with @Black2Fan):
    • VolgaCTF 2021, Samara. Slides: EN.
    • ZeroNights 2021, Saint Petersburg. Slides: EN, recording: RU.
  3. “Access control vulnerabilities in GraphQL APIs”:
  4. “Vulnerabilities of mobile OAuth 2.0”:
  5. “IoT hacking from web perspective”:
    • VolgaCTF 2020, Samara. Slides: EN.


  1. “JavaScript prototype pollution: practice of finding and exploitation” [EN|RU]
  2. “Security of mobile OAuth 2.0” [EN|RU]
  3. “GraphQL Voyager as a tool for API security testing” [EN|RU].
  4. “How to cut taxes for bug hunters” (“Охота за уязвимостями на 7% эффективнее”) [RU]


  1. Безопасность компьютерных систем 21/22, ПМИ ФКН ВШЭ. Курс создан в сотрудничестве с @sms-system.
  2. Безопасность интернет-приложений, образовательный центр VK в МГТУ им. Н.Э. Баумана


  1. CVE-2021-22957
  2. CVE-2021-22944
  3. CVE-2020-28460
  4. CVE-2020-28450
  5. CVE-2020-28449