[ CLICK OR PRESS SPACE TO SKIP ]

  





🪲








    
SYS.OP: ONLINE · THREAT LEVEL: ELEVATED

    
NEW DELHI · INDIA · 2026

    

    

    
    
TARGET
LOCK
▼ P3_MEDIUM

    
TARGET
LOCK
▼ P2_HIGH

    
TARGET
LOCK
▼ P4_LOW

    
    











   

      

      
BHAVISH CHOUDHARY

      

   

   

     

     
SCROLL TO INITIATE

   






    
• ANONYMOUSHACKERXD •

    
SECURITY ON
AUTOPILOT

    
    

        Security Researcher · Bug Bounty Hunter · SOC Analyst

        Google VRP P2 TRIAGED · CERT-In Hall of Fame · New Delhi, India
    


    

        
10+Vulnerabilities
Reported

        
PaidBounties
Earned

        
P2Highest Google VRP
Severity

        
2Hall of Fame
Awards

    









    

        

        

          

            ⚡ LIVE — Google VRP P2 Gemini AI Infrastructure · [TRIAGED]
            CERT-In Hall of Fame · Passport Seva RCE+XSS · [RECOGNIZED]
            🔴 CRITICAL — Cosmos/EVM Blockchain · HackerOne #3578035
            Google Cloud P3 Infrastructure Flaw · [TRIAGED]
            Upstox Internal Server RCE · [REWARDED]
            HealthifyMe CVE-2025-55182 · Pre-Auth RCE · [P1 RESOLVED]
            Airbnb OAuth Zombie State · HIGH 7.0–8.9 · #3539985
            BigONE Exchange MPC Flaws · $100 + $105 USD PAID
            ⚡ LIVE — Google VRP P2 Gemini AI Infrastructure · [TRIAGED]
            CERT-In Hall of Fame · Passport Seva RCE+XSS · [RECOGNIZED]
            🔴 CRITICAL — Cosmos/EVM Blockchain · HackerOne #3578035
            Google Cloud P3 Infrastructure Flaw · [TRIAGED]
          

        


        

          

            
About

            

              

                
Bridging offense
and defense.

                
I'm Bhavish Choudhary — a cybersecurity professional who hunts vulnerabilities in the world's largest platforms and defends organizations using the same attacker mindset.

                
With a Master's in Computer Applications and hands-on experience across SOC operations, I specialize in finding what others miss — from P2 vulnerabilities in Google's Gemini AI infrastructure to critical RCE on fintech backends.

                
My work bridges two worlds: the blue team (SIEM, log forensics, incident response) and the red team (API hacking, IDOR, OAuth exploitation, cloud misconfigurations, AI security).

                

                  SOC L1Incident ResponseThreat Hunting
                  Bug BountyMITRE ATT&CKSIEM/Splunk
                  API SecurityOSINTAI Security
                  Cloud SecurityMalware Analysis
                

              

              

                

                  
B
Bhavish Choudhary
SOC Analyst · Vulnerability Researcher

                  
StatusAvailable

                  
LocationNew Delhi, India

                  
Google VRPP2 & P3 TRIAGED

                  
Hall of FameGoogle · CERT-In

                  
MCAMDU · 66.16%

                  
BCAMDU · 64.27%

                  
Portfoliokubernetes1.netlify.app ↗

                

              

            

          

        


        

          

            
Capabilities

            
What I do.

            

              

                
Security Operations

                
Incident Response & Forensics90%

                
SIEM (Splunk) & Log Analysis85%

                
Threat Hunting · YARA/Sysmon80%

              

              

                
Offensive Security

                
Web Application Pentesting90%

                
API Testing · Burp / Postman85%

                
Network Recon & OSINT80%

              

              

                
Tools & Infrastructure

                
Linux · Kali · WSL92%

                
Google Cloud Platform75%

                
Malware Analysis · RE78%

              

            

          

        


        

          

            
Experience

            
Where I've operated.

            

              

                

                

                  
Incident Response & Digital Forensics Analyst

                  
Confidential Official Investigation · Remote · 2025

                  
Isolated SQL injection exploitation in Google Cloud Load Balancer logs — identified malicious IPs exfiltrating 2,000+ customer records (PII, mobile numbers, emails). Adaptive log triage and IOC extraction enabled device traceback (IMEI) and full containment in under 1 hour. Correlated temporal patterns to identify insider threat; documented findings for legal proceedings. All TTPs mapped to MITRE ATT&CK.

                

              

              

                

                

                  
Independent Vulnerability Researcher & Bug Bounty Hunter

                  
Google VRP, HackerOne, Bugcrowd, Cosmos, Private Programs · 2025 – Present

                  
• Responsibly disclosed critical and high-severity vulnerabilities across public and private bug bounty programs; earned bounties from Upstox, BigONE Exchange, and additional private targets.

                  
Google VRP — Gemini AI Infrastructure (P2, TRIAGED): Identified and reported a vulnerability directly impacting Google's flagship Gemini AI model infrastructure. Report officially reproduced and escalated to Priority 2 by Google Security Engineers. Details withheld under responsible disclosure NDA pending patch deployment.

                  
Google VRP — Google Cloud Infrastructure (P3, TRIAGED): Discovered a separate security flaw within Google Cloud's production environment — reproduced, assigned, and triaged at Priority 3 by Google Security Team. Full technical write-up to be published post-remediation.

                  
HackerOne — Cosmos / EVM (Critical, Report #3578035): Identified and submitted a critical-severity vulnerability in Cosmos blockchain infrastructure. Report was triaged as Critical by the security team prior to eligibility review. Vulnerability class and technical details withheld pending program resolution.

                  
Upstox (Rewarded): Discovered a Remote Code Execution vulnerability on an internal production server — achieved unauthenticated code execution on backend infrastructure; bounty awarded for responsible disclosure.

                  
BigONE Exchange (BIGONERB-31 & BIGONERB-56, $100 + $105 USD): Identified and reported two resolved configuration vulnerabilities; both validated, patched, and rewarded.

                  
Airbnb — HackerOne (High 7.0–8.9, #3539985): Auth bypass via unlinked OAuth provider — "Zombie State" flaw allowing silent login via disconnected Google OAuth, bypassing SMS 2FA entirely.

                  
HealthifyMe — Bugcrowd (P1, CVE-2025-55182, Resolved): Unauthenticated RCE via React Server Components deserialization on gpt-app.healthifyme.com; pre-auth code execution — resolved by vendor.

                  
• Uncovered 0-Click Account Takeover via IDOR in private program; discovered 9,000+ HDFC Bank debug/error pages via advanced dorking; detected live cryptocurrency miners across multiple production websites. Detected Reflected/Stored XSS and security misconfigurations across web and Android applications.

                  
CERT-In Hall of Fame — Government of India: Recognized for discovering RCE, multiple XSS flaws, and a critical security vulnerability within the official Passport Seva Android application, directly contributing to the security of national digital infrastructure.

                

              

            

            
            

              
Education

              

                
Master of Computer Applications (MCA)
Maharshi Dayanand University · 66.16% · 2023–2025
Advanced Software Engineering, Neural Networks, Cyber Security & Blockchain Technology.

                
Bachelor of Computer Applications (BCA)
Maharshi Dayanand University · 64.27% · 2019–2022
OOP, Database Systems, Network Architecture & Information Security fundamentals.

              

            

          

        


        

          

            
Certifications

            
Credentials.

            

              
🔐API Security
TheXSSRat
CAPIE — Certified API Hacking Expert
API Testing, OAuth 2.0 attack surfaces, SSO exploitation, API reconnaissance methodology.
Credential: KB6CqKog · Sep 2025

              
🛡️Blue Team
Deloitte Australia (Forage)
Cyber Security Job Simulation
SIEM operations, log management, endpoint security, incident response triage.
Credential: Hn8XyfYY28ZZMjLks · Jun 2025

              
🎄Practical
TryHackMe
Advent of Cyber 2025
24 consecutive daily challenges — Web Exploitation, Network Defense, Digital Forensics.
Credential: THM-QOPRZSJLSW · Dec 2025

              
🧠Assessment
TCS iON
NQT Cognitive — 68.20%
1,227.58 / 1,800 overall · Numerical: 369 · Verbal: 446 · Reasoning: 411.
Feb 2026 · Issued 5th Mar 2026

              
🐧Linux
TCM Security
Linux 100: Fundamentals
Linux OS, kernel architecture, Debian-based systems, shell operations.
Credential: cert_dvwmwtbz · May 2025

              
🦠Malware
TCM Security
Practical Malware Analysis & Triage
Splunk, ELK, Wireshark, Sysmon, Reverse Engineering, Bash, PowerShell.
Credential: cert_9rbj2x3q · Oct 2023

              
☁️Cloud
Google Cloud
Arcade Trooper
Cloud skill challenges. Physical recognition award — T-shirt, bag, light & badge.
2024

            

          

        


        

          

            
Research

            
Vulnerabilities discovered.

          

          

            

              

                
                
● LIVE QUANTUM THREAT MATRIX · SCANNING

              

              

                
Google VRP · Gemini AI Infrastructure
Identified a vulnerability directly impacting Google's flagship Gemini AI model infrastructure. Officially reproduced and escalated to Priority 2 by Google Security Engineers. Details withheld under responsible disclosure NDA pending patch deployment.
🔴 P2 · TRIAGED

                
Google VRP · Google Cloud Infrastructure
Discovered a security flaw within Google Cloud's production environment. Reproduced, assigned, and triaged at Priority 3 by Google Security Team. Details withheld under responsible disclosure NDA pending patch deployment.
🟡 P3 · TRIAGED

                
CERT-In · Government of India
Officially recognized in CERT-In Hall of Fame for discovering RCE, multiple XSS flaws, and a critical bug in the official Passport Seva app — directly contributing to national digital security.
🏆 HALL OF FAME

                
HackerOne · Cosmos / EVM
Critical-severity vulnerability in Cosmos blockchain infrastructure (Report #3578035). Triaged as Critical by the security team. Vulnerability class and technical details withheld pending program resolution.
🔴 CRITICAL

                
HealthifyMe · Bugcrowd
Critical unauthenticated RCE via React Server Components deserialization on gpt-app.healthifyme.com. Pre-auth server code execution. CVE-2025-55182 assigned. P1 — Resolved.
P1 · RESOLVED

                
Upstox · Private Program
Discovered a Remote Code Execution vulnerability on an internal production server — achieved unauthenticated code execution on backend infrastructure; bounty awarded for responsible disclosure.
💰 REWARDED

                
BigONE Exchange · HackenProof
Identified and reported two distinct vulnerabilities in BigONE's MPC architecture (BIGONERB-31 & BIGONERB-56). Both configuration flaws were validated, patched, and rewarded.
💰 $100 + $105 USD

                
Airbnb · HackerOne
Disconnecting Google OAuth leaves a "Zombie State" — attacker silently logs in via disconnected provider, bypassing SMS 2FA. Report #3539985.
HIGH 7.0–8.9

                
Airbnb / HotelTonight · HackerOne
Improper authentication on *.hoteltonight.com (Airbnb subsidiary). Unauthorized object access via direct reference manipulation. Report #3543688.
HIGH 8.8

              

            

          

        


        

            [SYSTEM ALERT]: Simulated Vulnerability Active
            Notice: Select data feeds on this site intentionally exhibit an anomalous "decryption error" payload when interacted with (hover/selection). This demonstrates how unhandled logic bugs can severely degrade user experience and obfuscate data. 


            Rate-limited to 2 triggers per element. 30,000ms global cooldown imposed. Copy/paste remains functional post-decryption. Patch pending...
            


            [HINT] Press ~ for terminal access · ↑↑↓↓←→←→BA for operator mode
        


        
    





Available for opportunities




     CLI ACCESS ~





    

        

            
            
            
              root@bhavish:~ — anonymoushackerxd_cli — 80×24
        

        
    

    

    

        root@bhavish:~$
        
    






  

    
    
    
    
  

  

    
    
  














    
⚡ OPERATOR MODE ENGAGED ⚡

    
↑↑↓↓←→←→BA · UNLOCKED · 30 SECONDS