Vansh Devgan
Verified Expert in Engineering
Security Engineer and Developer
Delhi, India
Toptal member since October 19, 2022
Vansh is an independent security researcher who has been actively working in cybersecurity for the last three years. He has worked with multiple big organizations like Microsoft, Google, Apple, Udemy, and NordVPN to help them discover vulnerabilities in their web applications. He has helped 150+ companies to secure their infrastructure through bug bounty or penetration testing. Vansh is also a full-stack developer and specializes in scripting and web scraping.
Portfolio
Experience
- Web App Security - 5 years
- Penetration Testing - 5 years
- Node.js - 4 years
- Burp Suite - 3 years
- Python 3 - 3 years
- Kali Linux - 3 years
- MERN Stack - 3 years
- Source Code Review - 2 years
Availability
Preferred Environment
Ubuntu Linux, Windows, MacOS, Visual Studio Code (VS Code), Burp Suite, Metasploit, NMap, Kali Linux, Slack, Amazon Web Services (AWS), Security Testing, Mobile Security, Intrusion Detection Systems (IDS), Kubernetes, Rekono, Managed Security Service Providers (MSSP), Information Security, Vulnerability Scanning, Web Scraping, Scraping, Data Scraping, Node.js, Off-page SEO, TypeScript, GraphQL
The most amazing...
...vulnerability I've found is in the Microsoft Edge browser, for which I got rewarded with a bounty of $20,000.
Work Experience
Senior Product Security Engineer
Crypto.com
- Collaborated with a crypto team to manage their bug bounty program, identified issues through penetration testing in their exchange apps and decentralized finance wallet, and conducted red teaming exercises.
- Conducted source code reviews for their applications, identifying numerous issues related to hard-coded credentials, insecure server-side calls, and more.
- Worked closely with their team on various red teaming activities, uncovering information disclosure issues related to PII data, and helped them implement strong controls to secure their infrastructure.
Product Security Engineer | Threat Modeling Expert
Yahoo!
- Contributed to the company by manually reviewing source code for their applications, offering constructive feedback for continuous improvement across the codebase.
- Aided the company in performing threat modeling for diverse new features, collaborating with the product team to enhance comprehension and prioritize potential threats.
- Assisted in coordinating dynamic penetration testing and software composition analysis (SCA) for newly introduced features and products at Yahoo.
Product Security Engineer
Novelship
- Integrated multiple payment gateways into a web application and performed security assessments.
- Performed multiple security operations on assets, including source code review and internal penetration testing.
- Searched for misconfigurations in AWS and other cloud applications as part of a cloud security assessment.
- Implemented and managed single sign-on (SSO) solutions (Okta) successfully, streamlining user access and enhancing security.
Product Security Engineer
CyberXplore Pvt
- Implemented secure solutions over AWS, integrating past, DAST, and hardcoded credentials checks over GitHub.
- Collaborated closely with a small team of developers to implement new features and improve the overall security of the product.
- Conducted audits of vulnerability assessment and penetration testing (VAPT) performed by several clients and helped them build a more robust security profile and team.
- Gained significant experience detecting and fixing identity and single sign-on (SSO) issues, including those with Okta. I partnered with multiple companies to establish robust SSO solutions, enhancing their infrastructure security.
Synack Red Teamer
Synack
- Reported numerous critical vulnerabilities to clients to help secure their infrastructures.
- Assisted in verifying multiple patches for bug fixes.
- Contributed to missions to support some standard security tests requested by clients.
- Helped companies find misconfigurations in their Okta setup and helped them fix them for the proper security of their projects.
CTF Player and Bug Bounty Researcher
Self-employed
- Assisted multiple big clients, including Microsoft, Google, and Apple, to identify security issues in their web application assets, getting rewarded by them with massive bounties.
- Obtained top hacker badges at various companies on HackerOne, including NordVPN, Pluralsight, and Teachable.
- Participated in, conducted, and won many capture-the-flag (CTF) events and reached the top 15 of the national CTF event organized by Cisco SecCon CTF.
Penetration Tester
Plug&paid
- Identified multiple race condition vulnerabilities in their web application which led to financial loss to the company, and helped them with possible mitigation for the problem.
- Discovered an API leaking their AWS access key and secret key, giving an attacker complete control of their cloud infrastructure, and helped them migrate the issue, impacting their availability by 100%.
- Assisted their team with consulting on security features implementation to prevent race conditions and brute-force attacks on critical functionalities provided as a part of the web applications.
Penetration Tester
Renderforest
- Assisted as a product security engineer, helping them identify potential vulnerabilities in their web application APIs from a black-box perspective.
- Consulted their developer's team on how to write good fixes for vulnerabilities found and gave some insights about how to write secure code and always sanitize inputs.
- Helped integrate SAST and DAST into their CI/CD pipeline, working over AWS as a part of their DevSecOps.
Experience
Attack Surface Management Project
Subdomain Enumeration at Scale
Web Scraping For eCommerce Platform
Mass Vulnerability Reporting
Certifications
CREST Registered Penetration Tester (CRT)
CREST
CREST Practitioner Security Analyst (CPSA)
CREST
OffSec Certified Professional (OSCP)
OffSec
Certified Red Team Professional
Altered Security
CompTIA PenTest+
CompTIA
Skills
Libraries/APIs
Node.js, REST APIs, React, Java Security, Gmail API, jQuery, Vue
Tools
Slack, SonarQube, AWS SDK, Checkmarx, Google Workspace, OWASP Zed Attack Proxy (ZAP), VPN, Metasploit, NMap, AWS ELB, Terraform, Grafana, GitHub, Jenkins
Languages
Python 3, Python, CSS, HTML, PHP, Java, SAML, TypeScript, SQL, CSS3, HTML5, JavaScript, Bash, GraphQL, Sass, Go, Less
Frameworks
Next.js, ASP.NET, React Native, Express.js, Laravel, Jakarta Server Pages (JSP), Tailwind CSS, Cypress, .NET, ASM, Svelte
Paradigms
Penetration Testing, DevSecOps, Web Architecture, DDoS, DevOps, Azure DevOps, Unit Testing, On-page SEO, Search Engine Optimization (SEO), Off-page SEO, HIPAA Compliance
Platforms
Windows, Burp Suite, Docker, Google Cloud Platform (GCP), Amazon Web Services (AWS), Azure, WordPress, Visual Studio Code (VS Code), Kubernetes, LAMP, Shopify, Ubuntu Linux, MacOS, Kali Linux, Heroku, Linux, Windows Server, Firebase, Ubuntu, Web, Mobile
Storage
PostgreSQL, MySQL, Azure Active Directory, Database Security, SQL Injection Protection, MongoDB, Docker Cloud, Amazon S3 (AWS S3), Azure Cloud Services, RDBMS, Google Cloud
Industry Expertise
Cybersecurity
Other
MERN Stack, Ethical Hacking, Web Security, Web App Security, Application Security, IT Security, Security, ISO 27001, Security Testing, Certified Ethical Hacker (CEH), Software Architecture, Threat Modeling, Vulnerability Assessment, Authentication, Vulnerability Identification, APIs, SecOps, Compliance, Architecture, Security Management, Technical Writing, Security Policies & Procedures, Data Security, SOC 2, Mobile Security, System Administration, Dynamic Analysis, Cloudflare, Antivirus Software, Security Engineering, Computer Security, Security Audits, Gobuster, Rekono, SSL, HTTPS, Transport Layer Security (TLS), Managed Security Service Providers (MSSP), Information Security, Threat Intelligence, Documentation, GRC, Vulnerability Scanning, Red Teaming, Quality Assurance (QA), SAML-auth, Single Sign-on (SSO), Vulnerability Management, Shell Scripting, Web Scraping, Scraping, Data Scraping, Risk Analysis, Root Cause Analysis, Scalable Web Services, Concurrency, Encryption, Code Auditing, Kubernetes Security, Digital Forensics, Communication, Ajax, Web Hosting, Source Code Review, Employee Training, Secure Web Development, CompTIA, AWS DevOps, DevOps Engineer, Web Development, Dynamic Application Security Testing (DAST), Code Review, Consulting, Static Application Security Testing (SAST), Scripting, Risk Assessment, Risk Management, NIST, Containers, SSL Certificates, Data-level Security, GDPR, Data Protection, Cloud Security, WAS, Security Architecture, Identity & Access Management (IAM), CI/CD Pipelines, SIEM, Intrusion Prevention Systems (IPS), Intrusion Detection Systems (IDS), JumpCloud, OAuth, Infrastructure as Code (IaC), IDS/IPS, Monitoring, OWASP, OWASP Top 10, CISO, Group Policy, Governance, IT Governance, Data Governance, Algorithms, Okta, Microsoft 365, PCI, Malware Removal, CAPTCHA, Fraud Prevention, Data Loss Prevention (DLP), Release Management, Network Engineering, IPsec, Technical SEO, Website Audits, AI Security, Artificial Intelligence (AI), App Infrastructure, Site Reliability Engineering (SRE), Data Privacy, LDAP, IoT Security, Applications, Cloud, CISSP, CRTP, Laravel Forge, Business Continuity Planning (BCP), Product Security, Security Breach Consulting, Large Language Models (LLMs), Forensics, Front-end Development, Web Applications, Mobile App Security, Networks, Web & Mobile Applications
How to Work with Toptal
Toptal matches you directly with global industry experts from our network in hours—not weeks or months.
Share your needs
Choose your talent
Start your risk-free talent trial
Top talent is in high demand.
Start hiring