Security Researcher & Bug Bounty Hunter

Fernando
Ortlieb // g00glym00gly

I break things responsibly. Independent security researcher focused on web application vulnerabilities — XSS, IDOR, GraphQL, and beyond. Active on Intigriti. Based in Germany.

view research GitHub Intigriti
01 // about

Who I am

I'm Fernando Ortlieb, an independent security researcher with a background in engineering and a passion for understanding how systems break.

I approach bug bounty hunting the way a good engineer approaches a problem — methodically, with documentation, and with an honest assessment of what I find and don't find. Negative results are results too.

My current focus is web application security: mapping attack surfaces, testing GraphQL APIs, analyzing WAF behavior, and hunting for authentication and authorization flaws.

$ whoami
Fernando Ortlieb // g00glym00gly
$ cat focus.txt
Web app security, GraphQL, XSS, IDOR
$ echo $LOCATION
Germany
platform Intigriti
handle g00glym00gly
active since 2026
primary scope web applications
recon tools Burp Suite, crt.sh
current level junior researcher
02 // projects

Research

DPG Media / Libelle — Web Application Assessment
active
intigriti.com  ·  Tier 2 / Tier 3  ·  2026
Black-box security assessment of Libelle.nl and its subdomain infrastructure. Conducted full recon including subdomain enumeration via certificate transparency logs, traffic analysis of Next.js and Nuxt.js frontends, and systematic testing of a GraphQL API with persisted queries. Mapped WAF behavior (Akamai), tested for IDOR across UUID-based endpoints, and performed XSS payload analysis across stored and reflected injection points. Documented all findings — including negative results — with full reproduction context.
GraphQL XSS IDOR Burp Suite Akamai WAF Next.js Subdomain Recon crt.sh
TryHackMe — Structured Cybersecurity Curriculum
ongoing
tryhackme.com  ·  Learning Track  ·  2026
Parallel learning track covering passive and active recon, network protocols, vulnerability research methodology, Metasploit on Metasploitable 2, and Linux/Windows privilege escalation. Builds the foundational toolkit that feeds directly into live bug bounty work.
Recon Metasploit Privilege Escalation Linux Vulnerability Research
03 // skills

Tools & Techniques

Recon

  • Subdomain enumeration
  • Certificate transparency (crt.sh)
  • HTTP traffic analysis
  • JS source analysis
  • Subdomain fingerprinting

Testing

  • XSS (Stored, Reflected, DOM)
  • IDOR / Broken Object Auth
  • CSRF
  • GraphQL injection
  • WAF bypass techniques

Tools

  • Burp Suite Community
  • Kali Linux
  • Obsidian (documentation)
  • Metasploit
  • crt.sh / Shodan

Concepts

  • GraphQL persisted queries
  • Session-based auth flows
  • WAF fingerprinting
  • Next.js / React security
  • REST & GraphQL API design
04 // blog

Writeups

// Writeups coming soon. First posts will cover GraphQL persisted query recon and Akamai WAF fingerprinting from real engagements.
05 // contact

Get in touch

Open to collaboration, responsible disclosure discussions, or just talking about web security. Reach me through any of the channels below.


All vulnerability findings are reported through the Intigriti platform within program rules. Do not contact me regarding undisclosed vulnerabilities outside of official channels.

GitHub
github.com/ortlieb
Intigriti
g00glym00gly
LinkedIn
Fernando Ortlieb