~ Hamzeh Emreish New York

Security researcher
& full-stack builder.

I take software apart and put it back together. Bug bounty research on HackerOne, Bugcrowd, and Intigriti, plus full-stack systems for real businesses. CS graduate of CUNY Lehman, May 2026.

whoami

a builder who reads patch diffs for fun.

cat now.txt

shipping bug bounty research on the GenAI attack surface. drafting an email-injection chain on Frappe. just graduated CUNY Lehman.

Available for work · open to security and full-stack roles.

Selected work

  1. 2024 Open source

    MCP Kali Server

    Contributed twelve recon tools, SSH session management, and reverse shell support to an open-source AI-pentesting framework. Pull request #5 merged after maintainer review.

    Python · Flask · Docker · Git
  2. 2024 Security tooling

    Burp Suite Automation API

    A REST API extension that exposes Burp's proxy, scanner, and repeater over HTTP, so scans can be scripted and AI tools can run them.

    Python · Jython · Burp Suite · Flask
  3. 2024 Creative coding

    Fruit Ninja, by hand

    A full Fruit Ninja clone played with real fingers over webcam. MediaPipe tracks fingertips for slicing; face tracking creates fish-tank VR parallax through off-axis 3D projection. About five thousand lines of vanilla JavaScript.

    JavaScript · Three.js · MediaPipe · Canvas2D · Computer vision

  4. 2025 Product

    Yonkers Car Wash

    Full website and CRM for a car-wash business. Four-step VIP signup wizard with live pricing, membership management, Netlify Forms, and remote ICS monitoring over Tailscale. Membership renewals up 35 percent.

    HTML · CSS · JS · Netlify · Tailscale · RDP/VNC
  5. 2024 Product

    Wholesome Habits

    Nutrition consulting site for a holistic wellness coach. Glassmorphism UI with 3D tilt cards on hover, cursor-tracked highlight effects, and smooth scroll throughout. Testimonials, FAQ, contact forms, and a consultation booking flow.

    React · JavaScript · CSS3
  6. 2025 Reverse engineering

    Flash MMO protocol

    Took apart a multiplayer Flash game's network stack: SmartFoxServer protocol via Wireshark, SWF in JPEXS, native DLLs in Ghidra. Found a client-side anti-cheat bypass: MD5 with a hardcoded salt.

    Wireshark · Ghidra · JPEXS · Cheat Engine

  7. 2024 Reverse engineering

    Game asset RE toolkit

    Red Alert 2 modding lacked documented tooling. I reverse engineered VXL, HVA, and MIX through hex dumps, then shipped a Blender addon that exports models to VXL. Wrote a guide for the community.

    Python · Blender API · Hex editing
  8. 2024 Full-stack

    Full-stack merchant system

    A PERN-stack CRUD application with search, sort, and dark mode. Built end-to-end to learn the stack: React on Vercel, Express and Postgres on Railway.

    React · Node.js · Express · PostgreSQL · Vercel · Railway
  9. 2025 Creative coding

    Point-cloud hand destruction

    A 3D point cloud in TouchDesigner that you destroy with your hands. MediaPipe tracks the wrist; particles explode outward with noise displacement; a color wave sweeps through. Move your hand back and the form reassembles.

    TouchDesigner · MediaPipe · GLSL · Real-time VFX

More on GitHub.

Findings

  • HackerOne
  • Bugcrowd
  • Intigriti

Program names are not listed because most engagements are under non-disclosure; available on request.

  1. Critical · CVSS 9.1 · duplicated · Intigriti Monitoring & observability

    Parser allowlist bypass in the SQL expression engine

    The fix for CVE-2026-27876 only guarded one of five AST fields skipped by vitess walkSubtree (Into); load_file() inside an ORDER BY clause reaches arbitrary files on disk. Same primitive class as CVE-2024-9264.

  2. High · submitted, awaiting triage · HackerOne Crypto platform

    Email injection in a Frappe-based contact form

    The sender parameter is used as the email recipient rather than the sender address, enabling attacker-controlled outbound mail from the platform's legitimate domain with full SPF/DKIM/DMARC alignment and no rate limit. Working end-to-end PoC with chained phishing payload.

  3. High · CVSS 8.6 · submitted May 14 2026, awaiting triage · Intigriti Cloud infrastructure

    SSRF in a GenAI Knowledge Base web crawler

    HTTP 302 redirect bypass of hostname deny-list and IP resolution check reaches 169.254.169.254 cloud metadata and internal infrastructure. A redirect trampoline grants access to cloud user-data and program-provided SSRF endpoints.

  4. High · CVSS 7.5 · duplicated · HackerOne Crypto platform

    Admin user enumeration via Cognito ForgotPassword

    Unauthenticated GraphQL query leaks the admin client_id; Cognito's ForgotPassword endpoint returns distinct responses for valid versus invalid usernames (CodeDeliveryDetails vs UserNotFoundException), enabling admin email enumeration with a first-letter leak in the destination field. Patched shortly after testing.

  5. P5 / Informational by program triage · Bugcrowd Fitness tracking app

    OAuth token exposure on the public authorize page

    Access tokens embedded in window.__STATE__ on the public OAuth authorize page enabled authentication bypass with confirmed account modification (PUT to a user resource returned 200 OK, first_name modified) and mass user enumeration across IDs 1 through 231M+ via email, name, and query searches without rate limiting. Program ruled the modified account was a test user.

  6. CWE-798 / CWE-522 · duplicated · Bugcrowd Domain registry

    Hardcoded production API credentials in a public JS config

    Production API credentials hardcoded in a publicly-accessible JavaScript config on the provider's domain-suggestion product, granting unauthenticated access to all seven backend API endpoints. Triaged as duplicate of an earlier April 2025 report with restricted key scope.

  7. Medium · triaged valid · HackerOne

    Unauthenticated mail relay

    Email spoofing with valid DKIM/SPF signatures. Provided CVSS analysis and remediation guidance.

Experience

  1. Nov 2023 to Present

    Equinox · Manager on Duty

    Scarsdale, NY. Promoted from Front Desk Associate at Mamaroneck. Flagship rotations at Hudson Yards and Printing House.

    • Contribute to strategy meetings with the General Manager, Regional Training Manager, and Facility Manager on member retention, personal-training conversion, facility quality, and staff performance.
    • Rebuilt front desk schedule and shift structure; closed a $1,500 labor budget overrun to zero in three months.
    • Run point on in-house tech for the club: BitLocker recovery, Windows blue screens, POS configuration, audio system faults, member-facing hardware. Diagnose first; escalate to the vendor only when a part has genuinely failed.
    • Daily walkthroughs surface cleanliness and equipment risk. Caught a member accessing the club on someone else's account for nearly a month from a photo-ID mismatch the desk had missed; escalated to GM.
    • Coach the front desk team on luxury-club engagement standards. Trained 10+ teammates; cross-trained in Pro Shop. CPR/AED certified.
  2. May 2025 to Present

    Yonkers Car Wash · Web & operations

    Yonkers, NY. Built and run a full membership/billing site, remote infrastructure, and the operations behind it.

    • Full-stack membership and billing site; remote ICS monitoring via RDP/VNC over Tailscale.
    • Managed technical operations and marketing. Increased renewals 35% through automated email.
    • Supervised and trained a 15-person team; monitored operations remotely.
  3. Oct 2023 to Feb 2025

    Central Deli & Convenience · Co-owner

    Mamaroneck, NY.

    • Hired and trained a team of seven; established service standards.
    • Owned finances: expense tracking, overhead, profit, forecasting in Excel.
    • Food safety, inventory, and quality control.
    • Designed the full in-store menu and the digital TV menus from scratch.

Education & credentials

About

Based in New York. English at work, Arabic at home. I started writing code in high school, and most of it has come from being annoyed at someone else's software.

Burp Suite was a GUI; I wrote an API on top of it. Recon was getting repetitive, so I shipped twelve tools into MCP Kali Server and let an AI run them for me. The maintainer reviewed it and merged. Red Alert 2's voxel format had been undocumented forever; I documented it on a Saturday and shipped a Blender exporter on Sunday. None of this was assigned. I just don't like waiting.

Finished CS at CUNY Lehman in May 2026. I read disassembly for fun and write CRUD apps for money. People keep asking me which side I want to be on. So far the answer is yes.

Daily drivers: Python · JavaScript · Bash · Java · React · Node.js · Express · PostgreSQL. Security: Burp Suite · Ghidra · Cheat Engine · Wireshark · Nmap · SQLMap · Hydra · John the Ripper · Metasploit · SNORT · Splunk · Auditd · subfinder · httpx · nuclei · ffuf · gobuster · arjun · subzy · waybackurls · Shodan. Infrastructure: Proxmox · Docker · VMware · Hyper-V · Tailscale · RDP/VNC · Active Directory · TCP/IP · DNS · Group Policy.

Reach