Istanbul, Türkiye
I'm an Application Security Engineer focused on security research and AppSec. I work on finding and responsibly disclosing issues in open-source software and in the supply chain, and I build tools and share what I learn through talks and writing. Research & impact I've discovered and disclosed multiple CVEs in widely used OSS projects and have presented at Black Hat Sector, BSidesBCN, Hacktrick, and IWCON. I've been recognized by Siemens, Microsoft, T-Mobile, Honeywell, Deutsche Telekom, and others for responsible disclosure, and I've contributed to the Google Bug Hunter program. I've also placed 1st in Turkcell UniBounty and 6th at STMCTF with team OutLawz. Tools & community I build and maintain open-source security tools, including projects adopted in Kali Linux and Black Arch, and write about my research and process on my blog. I regularly speak and teach on AppSec, AI security, and secure code review. Credentials eWPTX · eMAPT · AWS Cloud Practitioner. Interested in AppSec, security research, and speaking. Reach out to connect.
1. Supply chain security Designed and drove rollout of an internal product that scans dependencies, licenses and vulnerabilities across the organization. Over 40,000 repositories are in scope, with pipelines blocking known-malicious packages. 2. Secret scanning & AI False Positive Elimination Scaled secret detection across all repositories and reduced false positives by 53% with AI-based classification. 3. Developer security engagement Ran security tournaments and training for ~400 engineers across 10 teams. Presented at Black Hat Sector, BSidesBCN, Hacktrick, and CIDC while at Trendyol.
1. Bug bounty Managing Trendyol’s bug bounty program and day-to-day operations. 2. Vulnerability prioritization and fix process Prioritizing internal findings and contributing to fix workflows.
1. Developed a hospital management system with separate interfaces for doctors and healthcare workers, and helped design a more modern UI and simpler workflows. 2. Owned security for the product: secure design, implementation, and security assessments across the stack.
1. Founded and built a product that discovers locations from social media accounts using AI and EXIF metadata for OSINT and security research. CantHide reached over 1K users. 2. Core idea later evolved into exifLooter, an open-source tool adopted in Kali Linux and Black Arch (480+ GitHub stars).
1. Carried out offensive security research and vulnerability assessments in a telecom environment; discovered and responsibly disclosed a critical vulnerability. 2. Placed 1st in Turkcell UniBounty university bug bounty competition (2022) and 6th at STMCTF with team OutLawz (Turkey’s longest-running CTF, 200+ competitors, 50 teams).
Contributed to security assessments and internal security processes during the internship.